A 100% offline, single-file security analyser for suspicious files. No server, no uploads, no tracking β just drop a file and inspect it.
π Features Β· π Security Β· π οΈ Contributing
Loupe β drop a file, inspect it safely, entirely in your browser.
SOC analysts, MDR responders, phishing teams, and DFIR practitioners need a way to safely inspect suspicious files without uploading them to third-party services or spinning up a sandbox. Loupe runs entirely in your browser β nothing ever leaves your machine.
- Zero network access β a strict Content-Security-Policy blocks all external fetches.
- Single HTML file β no install, no dependencies, works on any OS with a modern browser.
- Built for scripts and documents β PowerShell, VBS, JScript, HTA, WSF, AppleScript / JXA, shell one-liners, Office, PDF, email, and archives get deep per-format analysis; recursive decoding peels nested Base64 / hex / gzip / zlib payloads layer by layer with the full lineage on screen.
- Broad format coverage β plus native binaries (PE / ELF / Mach-O), certificates, forensic artefacts (EVTX / SQLite), browser extensions, npm packages, and images.
- Abuse mailbox: a user-reported
.eml/.msglands in the queue β headers, SPF / DKIM / DMARC verdicts, tracking-pixel hosts, and every embedded URL are inspectable without a single click firing. - ClickFix /
osascriptpaste: an EDR alert surfaces an obfuscated one-liner β Base64 PowerShell,curl β¦ | sh, orosascript -e β¦. Paste it straight in withCtrl+Vand Loupe peels every nested Base64 / hex / gzip / zlib layer with the full decode lineage on screen, surfacing the C2 URL, hashes, and file paths as one-click MISP / STIX attributes. - Host triage: drop the
.evtxfrom live response to auto-flag 4688 / 4624 / 1102 / 4104, or a browserHistory.sqliteto timeline a suspected compromise. Every CSV / TSV / EVTX opens directly in the π Timeline viewer β scrubber, stacked-bar histogram, virtual grid, per-column top-value cards, Sigma-style Detections and Entities sections (EVTX) on one page. - Refang & pivot: Just paste and Loupe will convert URL Defense / Safe links and refang
hxxp:///1[.]2[.]3[.]4into live IOCs you can export without leaving the tab. - Airgap / compliance: single HTML file, zero network β usable on a SCIF / classified / locked-down analyst VM where VirusTotal and Any.Run are off-limits.
- Detection-content authoring: drag a candidate
.yarfile onto Loupe to validate it against a corpus of samples before promoting to the production ruleset.
β¬οΈ Download latest loupe.html
- Download β grab
loupe.htmlfrom the release link above, or clone the repo, runpython make.py, and opendocs/index.html. - Open β double-click the file in any modern browser (Chrome, Firefox, Edge, Safari). No server needed.
- Drop a file β drag a suspicious file onto the drop zone, click π Open File, or paste with Ctrl+V.
- (optional) Verify it β every release is Sigstore-signed and reproducible. See SECURITY.md Β§ Verify Your Download.
- Inspect β press S to toggle the security sidebar, Y for the YARA rules dialog, ? for all shortcuts.
| Category | Extensions |
|---|---|
| Office | .docx .docm .xlsx .xlsm .pptx .pptm .ods .doc .xls .ppt .odt .odp .rtf |
| Documents | .pdf .one |
.eml .msg |
|
| Web | .html .htm .mht .mhtml .xhtml .svg |
| Archives | .zip .gz .gzip .tar .tgz .rar .7z .cab .iso .img |
| Windows | .lnk .hta .url .webloc .website .reg .inf .sct .msi .exe .dll .sys .scr .cpl .ocx .drv .com .xll .application .manifest .msix .msixbundle .appx .appxbundle .appinstaller |
| Browser extensions | .crx (Chrome / Chromium / Edge) Β· .xpi (Firefox / Thunderbird) |
| npm packages | .tgz (npm-packed tarball) Β· package.json Β· package-lock.json / npm-shrinkwrap.json |
| Linux / IoT | ELF binaries (.so, .o, .elf, extensionless) |
| macOS | Mach-O binaries (.dylib, .bundle, Fat/Universal) Β· .applescript .scpt .scptd .jxa .plist Β· .dmg .pkg .mpkg |
| Certificates | .pem .der .crt .cer .p12 .pfx .key |
| OpenPGP | .pgp .gpg .asc .sig |
| Java | .jar .war .ear .class |
| Scripts | .wsf .wsc .wsh .vbs .ps1 .bat .cmd .js |
| Forensics | .evtx .sqlite .db |
| Data | .csv .tsv .iqy .slk |
| Images | .jpg .png .gif .bmp .webp .ico .tif .avif |
| Catch-all | Any file β text or hex dump view |
Every format gets risk assessment, IOC extraction, and YARA scanning on top of the format-specific parser. Full capability reference in FEATURES.md.
- Scripts & one-liners β PowerShell, VBS, JScript, HTA, WSF, AppleScript / JXA, and shell wrappers get syntax highlighting and are risk-scored against hundreds of dedicated YARA rules; auto-execute entry points are flagged.
- Recursive decoder β Base64 / hex / gzip / zlib layers unwind in-place with every hop visible as a coloured pill, so a ClickFix blob reveals its real payload without leaving the tab.
- Office, PDF & email β VBA and Excel-formula droppers decoded, OOXML external relationships surfaced, PDF
/JavaScript//OpenAction//Launch/ attachments extracted,.eml/.msgheaders and SPF / DKIM / DMARC verdicts parsed. - IOCs β URLs, IPs, emails, hostnames, domains, file paths, UNC paths, GUIDs, key fingerprints. Defanged indicators (
hxxp://,1[.]2[.]3[.]4) are refanged automatically. - YARA rule engine β 500+ default rules auto-scan every file; drop any
.yarfile onto Loupe to extend detection β rules are validated, saved locally, and rescans are instant. - File hashes β MD5, SHA-1, SHA-256 with one-click VirusTotal lookup.
- Native binaries β PE / ELF / Mach-O with imports, sections, entropy, security features, and code-signature parsing for quick triage.
- Certificates & keys β X.509 and OpenPGP with weak-key and expiry flagging.
- Recursive drill-down β a macro inside a
.docminside a.zipinside a.msiβ every layer gets its own full analysis with Back navigation and a breadcrumb trail. - Exports β one-click clipboard brief for tickets or LLMs, plus STIX 2.1, MISP, and IOC JSON/CSV.
- Timeline β every CSV / TSV / EVTX opens in a dedicated timeliner: scrubber, stacked-bar chart, virtual grid, per-column filter chips, plus Sigma-style Detections and Entities sections for EVTX.
Six themes, a resizable sidebar, in-toolbar document search, and click-to-highlight for every IOC and YARA match.
Every export is generated client-side β paste directly into the next tool in your pipeline:
- β ticket / LLM: one-shot Summarize copies a Markdown report to the clipboard, sized to ~16 K / 50 K / unlimited tokens.
- β TIP: STIX 2.1 bundle or MISP event JSON, with deterministic UUIDs so re-imports dedupe cleanly.
- β CLI / spreadsheet: flat JSON (jq-friendly) and RFC 4180 CSV for quick grep / pivot / triage runs.
Six built-in themes, selectable from the β Settings dialog β your choice persists.
 βοΈ Light |
 π Dark |
 π Midnight OLED |
 π Solarized |
 π Mocha |
 β Latte |
More screenshots β file viewer & YARA dialog per theme
βοΈ Light
π Dark
π Midnight OLED
π Solarized
π Mocha
β Latte
Drop one of these into Loupe to see it in action β the examples/ directory has many more.
examples/encoded-payloads/nested-double-b64-ip.txtβ double Base64 hiding a C2 IPexamples/email/phishing-example.emlβ SPF/DKIM/DMARC failures + tracking pixelexamples/windows-scripts/example.lnkβ Shell Link with per-field IOC extractionexamples/pe/signed-example.dllβ Authenticode-signed DLL with PE analysis + cert chainexamples/forensics/example-security.evtxβ Windows security event log (auto-flags 4688 / 4624 / 1102)examples/macos-system/example.pkgβ flat macOS installer with install-script flaggingexamples/web/example-malicious.svgβ script injection + foreignObject phishing form
Full guided tour: FEATURES.md β Example Files.
Loupe is a static-analysis triage tool β it extracts, decodes, and displays file contents for human review but does not execute macros, JavaScript, scripts, or any embedded code. It is not a replacement for dynamic-analysis sandboxes (Any.Run, Joe Sandbox) or full reverse-engineering workflows. Use Loupe for initial triage and IOC extraction, then escalate to a sandbox or disassembly environment.
- Zero network β strict
Content-Security-Policy(default-src 'none') blocks every outbound request. No telemetry, no CDNs, no analytics. - No code execution β no
eval, nonew Function, sandboxed HTML/SVG previews. - Zip-bomb & timeout defences β centralised parser limits cap nesting depth, decompressed size, entry count, and wall-clock time.
Full threat model, numeric limits, and vulnerability reporting: SECURITY.md.
Loupe is open source under the Mozilla Public License 2.0.
- β Star the repo β helps others discover the project
- π Open an issue β bug reports, feature requests, and format support suggestions
- π Submit a pull request β YARA rules, new format parsers, and improvements are especially welcome
- π See CONTRIBUTING.md β build instructions, gotchas, and conventions for developers
The codebase is vanilla JavaScript (no frameworks, no bundlers) to keep it auditable and easy to understand.