tigris-all-classes-threat-report-6beb0d6d5a03.md

1. Executive summary

This scan did not find any obvious network “call-home” behavior: there are no URLs, hosts, or outbound connection indicators reported. That’s a good sign for basic safety (no clear evidence of hidden downloads, remote control, or data exfiltration).

However, the report also shows that analysis was partly incomplete: 3 out of 24 classes failed to parse, and 2 classes triggered decompiler anomalies (the decompiler had to fall back due to “stack underflow” errors and a complexity timeout guard on one method). These issues can happen with obfuscation, unusual/invalid bytecode, or certain compiler/tooling patterns.

Overall, there’s no direct malware signal in the report, but the un-analyzable portions mean the scan cannot fully vouch for the JAR.

2. What looks normal

No network indicators found
- hosts: [], urls: [], outbound_connection_indicators: []
Most classes were successfully processed
- 21/24 classes parsed; decompilation was attempted for 21 and none fully failed (decompile_failed_classes: 0)
A small number of decompiler anomalies by itself can be benign
- decompiler_anomaly_class_ratio ≈ 8.3% (2 classes)

3. What could look scary but may be harmless

Decompiler “stack underflow” / fallback messages
- These often occur when bytecode is intentionally obfuscated, produced by unusual compilers, or is hard for decompilers (decompilers are not perfect).
Complexity guard timeout
- One method (afterEntities(WorldRenderContext var1)) tripped a “preflight complexity guard” (lots of branches / large method). That can happen in performance-heavy rendering/game logic or heavily optimized code, not only malware.
Short/odd method names and missing local variable tables
- Signals like short_method_name and no_local_variable_table commonly appear when code is minified/obfuscated or built without debug symbols. Obfuscation is common in some ecosystems and isn’t automatically malicious.

4. Actual concerns

3 classes could not be parsed at all (parse_failed)
- This is the biggest issue: the scanner couldn’t even fully read those classes, so whatever they do is unknown from this report.
Obfuscation-like signals in the anomalous classes
- The anomaly entries show multiple obfuscation signals (short names, dense branches, missing local variable tables). Obfuscation can be legitimate (protecting IP), but it also reduces transparency and makes it harder to rule out unwanted behavior.
Large JAR size vs. low class count
- The JAR is ~15 MB but only 24 classes were counted. That can be normal (bundled assets/resources), but it also means a lot of content isn’t reflected in “class behavior” findings, and this report doesn’t describe what those non-class contents are.

5. Final verdict

Verdict: Use caution
Why: The scan does not show any clear malicious behavior (especially no network/URL indicators), which is reassuring. But multiple classes could not be parsed and some methods triggered decompiler fallbacks that look consistent with obfuscation or abnormal bytecode. Because parts of the code could not be reliably analyzed, this report can’t confidently confirm the JAR’s behavior end-to-end. If you didn’t get this JAR from a trusted source, treat it as higher risk.
Confidence: Medium

6. Short user-friendly conclusion

Use caution — nothing in the report screams “malware,” but several classes couldn’t be analyzed and some code looks intentionally hard to decompile, so the scan can’t fully prove what the JAR does.