Shannon Entropy for Detecting Encrypted and Obfuscated Data
Shannon entropy measures the randomness of data on a scale from 0 (perfectly uniform) to 8 (maximally random) bits per byte. Normal English text scores around 4.5. Compressed or encrypted data scores above 7.5. This makes entropy a powerful quick test: if a file or code block has unusually high entropy, something is being hidden.
Try it now
Entropy Analyzer
Runs in your browser, nothing leaves your device.
0-1: Repetitive data (null bytes, padding). 3-5: Normal text, source code, configuration files. 5-6: Minified or lightly obfuscated code. 6-7.5: Packed executables, heavy obfuscation, Base64-encoded content. 7.5-8: Encryption, compression, or high-quality random data. A sudden jump in entropy within a file suggests an embedded encrypted or compressed payload.
Scan a malware sample's sections for entropy spikes that reveal packed or encrypted payloads. Check inline JavaScript for high entropy that suggests obfuscation. Compare before/after deobfuscation to confirm you've actually decoded something meaningful (entropy should drop significantly). Identify steganography in images where pixel data has unnaturally high entropy.
Examples
Normal vs obfuscated JavaScript
Normal JS: entropy ~4.8
Obfuscated JS: entropy ~5.9
Encrypted payload: entropy ~7.8
Higher entropy = more likely to be hiding something
Security context
Entropy analysis is a triage tool. It won't tell you what's hidden, but it quickly tells you that something is hidden. When analyzing unknown files or suspicious code, checking entropy first helps you prioritize what to investigate further.
Frequently asked
No single entropy value confirms malware. But executable sections with entropy above 7.0 likely contain packed or encrypted code, which is common in malware that tries to evade signature detection. Legitimate software rarely has sections above 7.5.
Related techniques
JavaScript Deobfuscation Techniques
How to deobfuscate JavaScript malware, phishing scripts, and browser exploits. Reverse eval packing, string rotation, array shuffling, and control flow flattening.
Hex Encoding in Malware and Obfuscated Code
Decode hex-encoded strings in malware samples, obfuscated JavaScript, and network traffic. Identify file signatures by magic bytes.
PHP eval(base64_decode()) Malware Patterns
Identify and decode PHP webshells and backdoors that use eval(base64_decode()). Common patterns in WordPress hacks, file upload exploits, and server compromises.