https://github.com/loupe-tools/loupe
100% offline, single HTML file security analyser for 60+ file formats โ Office docs, PDFs, executables (PE/ELF/Mach-O), emails, certificates, OpenPGP, JAR, SVG, archives, scripts, plists, EVTX and SQLite. 475+ built-in YARA rules, VBA macro analysis, IOC extraction, recursive payload decoding, STIX 2.1 / MISP export.
https://github.com/loupe-tools/loupe
evtx file-analysis incident-response malware-analysis offline security single-file static-analysis threat-detection yara
Last synced: about 1 month ago
JSON representation
100% offline, single HTML file security analyser for 60+ file formats โ Office docs, PDFs, executables (PE/ELF/Mach-O), emails, certificates, OpenPGP, JAR, SVG, archives, scripts, plists, EVTX and SQLite. 475+ built-in YARA rules, VBA macro analysis, IOC extraction, recursive payload decoding, STIX 2.1 / MISP export.
- Host: GitHub
- URL: https://github.com/loupe-tools/loupe
- Owner: Loupe-tools
- License: mpl-2.0
- Created: 2026-04-11T15:47:08.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-04-19T03:54:54.000Z (about 2 months ago)
- Last Synced: 2026-04-19T05:09:09.237Z (about 2 months ago)
- Topics: evtx, file-analysis, incident-response, malware-analysis, offline, security, single-file, static-analysis, threat-detection, yara
- Language: JavaScript
- Homepage: https://loupe.tools/
- Size: 30.5 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# ๐ต๐ป Loupe
**A 100% offline, single-file security analyser for suspicious files.**
No server, no uploads, no tracking โ just drop a file and inspect it.
๐ Features ยท
๐ Security ยท
๐ ๏ธ Contributing
> **โถ Launch the live demo**
[](https://www.bestpractices.dev/projects/12604)
[](https://securityscorecards.dev/viewer/?uri=github.com/Loupe-tools/Loupe)
Loupe โ drop a file, inspect it safely, entirely in your browser.
---
## ๐ค Why Loupe?
SOC analysts, MDR responders, phishing teams, and DFIR practitioners need to inspect suspicious files **without uploading them anywhere**. Loupe runs entirely in your browser โ nothing ever leaves your machine.
- **Zero network, zero install.** A strict [Content-Security-Policy](SECURITY.md#full-content-security-policy) blocks every outbound request. One HTML file, double-click to open, works on any OS.
- **Forensics-grade depth in a triage tool.** [50+ formats](FEATURES.md#-supported-formats) with format-specific parsers, recursive deobfuscation, 500+ bundled YARA rules, and one-click STIX / MISP / clipboard export.
- **A timeline tool too.** CSV, TSV, EVTX, log files, packet captures, and browser-history SQLite open in the [๐ Timeline viewer](FEATURES.md#-timeline) โ virtual grid for 1 M rows, scrubber + stacked-bar histogram, DSL query language, EVTX detections with MITRE ATT&CK pivots.
- **Verifiable supply chain.** Every release is [Sigstore-signed with SLSA v1.0 build provenance](SECURITY.md#verify-your-download), reproducible from source, and ships a CycloneDX SBOM.
---
## ๐ Quick Start
[โฌ๏ธ **Download latest loupe.html**](https://github.com/Loupe-tools/Loupe/releases/latest/download/loupe.html)
1. **Download** โ grab `loupe.html` from the release link above, or clone the repo, run `python make.py`, and open `docs/index.html`.
2. **Open** โ double-click in any modern browser (Chrome, Firefox, Edge, Safari). No server.
3. **Drop a file** โ drag a single file or a whole folder onto the drop zone, click **๐ Open File**, or paste with **Ctrl+V**. Multi-file drops and `webkitdirectory` picker selections are bundled into a single tree view; click any leaf to drill in.
4. *(optional)* **Verify** โ every release is Sigstore-signed and reproducible. See [SECURITY.md ยง Verify Your Download](SECURITY.md#verify-your-download).
5. **Inspect** โ press **S** for the security sidebar, **Y** for the YARA dialog, **?** for all shortcuts.
> Loupe is a **static-analysis triage tool** โ it extracts, decodes, and displays file contents for human review. It does **not execute** macros, JavaScript, or embedded code. Use Loupe for initial triage and IOC extraction, then escalate to a sandbox or disassembly environment.
---
## ๐ฏ When to reach for Loupe
- **Abuse-mailbox triage** โ drop a `.eml` or `.msg`; headers, SPF/DKIM/DMARC verdicts, tracking pixels, and embedded URLs are all inspectable, with anchors rendered inert so a hostile URL can't be navigated to by accident.
- **ClickFix / `osascript` paste** โ paste an obfuscated one-liner with `Ctrl+V`; Loupe peels every nested Base64 / hex / gzip / zlib / XOR layer and surfaces the IOCs.
- **Host-triage timeline** โ drop a `.evtx` to auto-flag 4688 / 4624 / 1102 / 4104 with MITRE ATT&CK pills. Browser `History.sqlite` opens into the same timeline.
- **Airgap / SCIF analyst VM** โ single HTML, zero network, usable where VirusTotal and Any.Run are off-limits.
---
## ๐ก Supported Formats
Extensionless and renamed files are auto-routed by magic-byte sniff. Per-format detail in [FEATURES.md](FEATURES.md#-supported-formats).
| Category | Extensions |
|---|---|
| **Office** | `.docx` `.docm` `.xlsx` `.xlsm` `.pptx` `.pptm` `.doc` `.xls` `.ppt` `.ods` `.odt` `.odp` `.rtf` `.iqy` `.slk` |
| **PDF** | `.pdf` |
| **Email** | `.eml` `.msg` |
| **Web** | `.html` `.htm` `.mht` `.mhtml` `.xhtml` `.svg` |
| **Archives** | `.zip` `.gz` `.gzip` `.tar` `.tar.gz` `.tgz` `.rar` `.7z` `.cab` `.iso` `.img` |
| **OneNote** | `.one` |
| **Windows** | `.lnk` `.hta` `.url` `.webloc` `.website` `.reg` `.inf` `.sct` `.msi` `.exe` `.dll` `.sys` `.scr` `.cpl` `.ocx` `.drv` `.com` `.xll` `.application` `.manifest` `.msix` `.msixbundle` `.appx` `.appxbundle` `.appinstaller` |
| **Browser extensions** | `.crx` `.xpi` |
| **npm** | `.tgz` `package.json` `package-lock.json` `npm-shrinkwrap.json` |
| **Linux / IoT** | `.so` `.o` `.elf` |
| **macOS** | `.applescript` `.scpt` `.scptd` `.jxa` `.plist` `.dylib` `.bundle` `.dmg` `.pkg` `.mpkg` |
| **Certificates** | `.pem` `.der` `.crt` `.cer` `.p12` `.pfx` |
| **OpenPGP** | `.pgp` `.gpg` `.asc` `.sig` `.key` |
| **Java** | `.jar` `.war` `.ear` `.class` |
| **Scripts** | `.wsf` `.wsc` `.wsh` `.vbs` `.ps1` `.bat` `.cmd` `.js` |
| **Logs** | `.log` `.cef` `.leef` `.evtx` |
| **Network** | `.pcap` `.pcapng` `.cap` |
| **Data** | `.csv` `.tsv` `.json` `.ndjson` `.jsonl` `.sqlite` `.db` |
| **Images** | `.jpg` `.jpeg` `.png` `.gif` `.bmp` `.webp` `.ico` `.tif` `.tiff` `.avif` |
---
## ๐ฌ Try It Yourself
The [`examples/`](examples/) directory has a sample file for every supported format โ see [`examples/README.md`](examples/README.md) for a guided tour.
---
## ๐ What it looks like
๐ฌ File analysis
Security sidebar with format-specific findings, IOC clusters, and one-click STIX / MISP export.
๐ YARA rules
500+ bundled rules plus a live editor for your own rule packs โ all evaluated in-browser.
๐ Timeline
Million-row virtual grid for CSV / TSV / EVTX / PCAP / log files / browser SQLite, with stacked-bar histogram and a query DSL.
---
## ๐จ Themes
Six built-in themes, selectable from the **โ Themes** tab (`T`) in the Settings dialog โ your choice persists.
โ๏ธ Light
๐ Dark
๐ Midnight OLED
๐ก Solarized
๐บ Mocha
๐ต Latte
---
## ๐ Security Model
Strict CSP (`default-src 'none'`), no `eval` / `new Function`, sandboxed HTML & SVG previews, centralised parser limits against zip-bombs and runaway parsers. Full threat model, numeric limits, signature-verification recipe, and vulnerability reporting โ **[SECURITY.md](SECURITY.md)**.
---
## ๐ค Get Involved
Loupe is open source under the [Mozilla Public License 2.0](LICENSE). The codebase is vanilla JavaScript โ no frameworks, no bundlers โ to keep it auditable.
- โญ **Star the repo** โ helps others discover the project.
- ๐ **Open an issue** โ bug reports, feature requests, format support suggestions.
- ๐ **Submit a pull request** โ YARA rules, new format parsers, and improvements are especially welcome.
- ๐ **See [CONTRIBUTING.md](CONTRIBUTING.md)** โ build instructions, gotchas, and conventions.