What is the BEST way for a security analyst to analyze a potentially malicious document without executing it?

Detonating a potentially malicious document in an analysis sandbox is the best approach for a security analyst seeking to study the document's behavior without executing it on a production system. A sandbox environment mimics a real operating system, allowing analysts to observe how the document will interact with the system, including any malicious payloads, without risking infection or damage to a live environment.

This method provides a safe space to execute the document in a controlled environment, offering insights into its functionalities, the processes it tries to execute, and any indicators of compromise it may exhibit. Additionally, sandboxes often have methods to monitor system calls, network traffic, and file system changes, which provide a comprehensive view of the document's potential threats.

In contrast, analyzing the document's metadata might reveal its origin but won't assess its overall behavior or risk. Searching for matching file hashes on malware websites is useful to determine if the document is already known to be malicious but doesn’t provide context or information about new threats. Opening the document on an air-gapped network, while isolating it from other systems, still runs the risk of execution without the behavioral insights a sandbox can provide.