A method for determining sandbox configurations for malware analysis is described. In one embodiment, the method may include receiving a plurality of files, extracting at least one element from at least one file from the plurality of files, identifying one or more properties associated with an endpoint, determining a correlation between the at least one extracted element and the one or more properties of the endpoint, and determining one or more sandbox configurations based at least in part on the determined correlation. In some cases, the endpoint is related to at least one of the plurality of files.