Forensics & Analysis · 1 min read

Shannon Entropy for Detecting Encrypted and Obfuscated Data

Shannon entropy measures the randomness of data on a scale from 0 (perfectly uniform) to 8 (maximally random) bits per byte. Normal English text scores around 4.5. Compressed or encrypted data scores above 7.5. This makes entropy a powerful quick test: if a file or code block has unusually high entropy, something is being hidden.

Try it now

Entropy Analyzer

Runs in your browser, nothing leaves your device.

0-1: Repetitive data (null bytes, padding). 3-5: Normal text, source code, configuration files. 5-6: Minified or lightly obfuscated code. 6-7.5: Packed executables, heavy obfuscation, Base64-encoded content. 7.5-8: Encryption, compression, or high-quality random data. A sudden jump in entropy within a file suggests an embedded encrypted or compressed payload.

Scan a malware sample's sections for entropy spikes that reveal packed or encrypted payloads. Check inline JavaScript for high entropy that suggests obfuscation. Compare before/after deobfuscation to confirm you've actually decoded something meaningful (entropy should drop significantly). Identify steganography in images where pixel data has unnaturally high entropy.

Normal vs obfuscated JavaScript

Input
Normal JS: entropy ~4.8 Obfuscated JS: entropy ~5.9 Encrypted payload: entropy ~7.8
Result
Higher entropy = more likely to be hiding something

Security context

Entropy analysis is a triage tool. It won't tell you what's hidden, but it quickly tells you that something is hidden. When analyzing unknown files or suspicious code, checking entropy first helps you prioritize what to investigate further.

No single entropy value confirms malware. But executable sections with entropy above 7.0 likely contain packed or encrypted code, which is common in malware that tries to evade signature detection. Legitimate software rarely has sections above 7.5.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description