7z

Supported formats

Description

7z is a popular compressed archive file format used across different platforms. This backend extracts files and metadata from 7z archives.

info

Available in Contextal Platform 1.0 and later.

Features

The backend supports popular compression methods (such as LZMA, LZMA2, BZIP2, or ZSTD), as well as archives encrypted with AES256, which can be contextually autodecrypted.

Symbols

Object

ENCRYPTED → the archive is encrypted
DECRYPTED → the archive has been successfully decrypted
LIMITS_REACHED → limits triggered while processing the archive

Children

TOOBIG → this child object was not extracted as it exceeds the limits

Example Metadata

{
   "org": "ctx",
   "object_id": "ab95c554ad24a0e65fae5e7827bf05bd669194997fdd9584975cb391749a028a",
   "object_type": "7z",
   "object_subtype": null,
   "recursion_level": 1,
   "size": 673437,
   "hashes": {
      "sha1": "8537083071d732ab2f0ebcd85d3c9f3e5e960fd2",
      "md5": "9c4a181aa969c73e4f680031b2790a06",
      "sha256": "ab95c554ad24a0e65fae5e7827bf05bd669194997fdd9584975cb391749a028a",
      "sha512": "573671d939622086213d471c4736ce2c04626f89f0cfedf345cad27ace3805b966d37fb24f3daa284fe36f9a5c7256af5f644211bfa8507d943f45f388e2af0b"
   },
   "ctime": 1726245173.600375,
   "ok": {
      "symbols": [],
      "object_metadata": {
         "_backend_version": "1.0.0",
         "num_of_files": 1,
         "num_of_folders": 1,
         "total_compressed_size": 673283,
         "total_uncompressed_size": 1017856
      },
      "children": [
         {
            "org": "ctx",
            "object_id": "b54ee7375e7ea979d16b76f183aaaccfa49681e2bd748ffca202fde9cf823346",
            "object_type": "PE",
            "object_subtype": null,
            "recursion_level": 2,
            "size": 1017856,
            "hashes": {
               "sha512": "44963c4b52eebb7c07d8cd9b2766faccc045dea166c76a479cdccbba06a9dc1a5b4be1003daed93b72f64f848497c3ae57be99501aa11d4569b30b7e7e26706c",
               "md5": "d30bb9df615a8d1661f843d426ff40eb",
               "sha1": "4344e695b5f65917dc68f241ecde4b99cf25d930",
               "sha256": "b54ee7375e7ea979d16b76f183aaaccfa49681e2bd748ffca202fde9cf823346"
            },
            "ctime": 1726245173.600375,
            "relation_metadata": {
               "compressed_crc": 0,
               "compressed_size": 673283,
               "crc": 1065715822,
               "has_access_date": false,
               "has_crc": true,
               "has_creation_date": false,
               "has_last_modified_date": true,
               "has_windows_attributes": true,
               "is_anti_item": false,
               "last_modified_date": 1725946511,
               "name": "Plaston New PO 067476.exe",
               "size": 1017856,
               "windows_attributes": 32
            },
[...]

Example Queries

object_type == "7z"
    && @match_object_meta($num_of_files == 1)
    && @has_child(object_type == "PE"
         && @has_symbol("ISSUES")
    )

This matches a 7z object, which only contains a single file, which is a PE file with some suspicious problems identified.

Configuration Options

max_processed_size → maximum size of the input object that will be processed (default: 262144000)
max_children → maximum number of children objects to create (default: 100)
max_child_input_size → maximum size of a single input children object (default: 41943040)
max_child_output_size → maximum size of a single output children object (default: 41943040)

Supported formats​

Description​

Features​

Symbols​

Object​

Children​

Example Metadata​

Example Queries​

Configuration Options​