Multi-file malware analysis

What is claimed is: 1. A device, comprising: one or more processors to: identify a plurality of files for a multi-file malware analysis; execute the plurality of files in a malware testing environment; monitor the malware testing environment for a behavior indicative of malware; detect the behavior indicative of malware; modify a plurality of malware scores, corresponding to the plurality of files, based on detecting the behavior indicative of malware; determine that two or more malware scores, of the plurality of malware scores, satisfy a threshold; partition the plurality of files into two or more segments of files based on determining that the two or more malware scores satisfy the threshold, the two or more segments of files corresponding to the two or more malware scores; analyze the two or more segments of files for malware; determine that a segment of files, included in the two or more segments of files, includes malware based on analyzing the two or more segments of files; and analyze at least one file, included in the segment of files, for malware based on determining that the segment of files includes malware. 2. The device of claim 1 , where the one or more processors, when analyzing the two or more segments of files for malware, are to: analyze the two or more segments of files separately; and where the one or more processors are further to: identify a particular segment of files, of the two or more segments of files, that includes malware based on analyzing the two or more segments of files separately; and identify a file that includes malware based on identifying the particular segment of files that includes malware, the file being included in the particular segment of files. 3. The device of claim 2 , where the one or more processors, when analyzing the two or segments of files separately, are to: analyze a first segment of files, of the two or more segments of files, using a first malware testing environment; and analyze a second segment of files, of the two or more segments of files, using a second malware testing environment that is different from the first malware testing environment. 4. The device of claim 2 , where the one or more processors, when analyzing the two or more segments of files separately, are to: analyze a first segment of files, of the two or more segments of files, during a first time period; and analyze a second segment of files, of the two or more segments of files, during a second time period that is different from the first time period. 5. The device of claim 1 , where the one or more processors are further to: determine that a malware score, of the plurality of malware scores, satisfies a threshold after modifying the plurality of malware scores; identify a particular file associated with the malware score; analyze the particular file for malware; and identify a file that includes malware based on analyzing the particular file for malware, the particular file and the file being a same file. 6. The device of claim 1 , where the one or more processors are further to: identify an additional plurality of files for the multi-file malware analysis, the additional plurality of files including at least one file that is not included in the plurality of files; analyze the additional plurality of files for malware concurrently; modify an additional plurality of malware scores, corresponding to the additional plurality of files, based on analyzing the additional plurality of files; determine that a malware score, of the plurality of malware scores or the additional plurality of malware scores, satisfies a particular threshold; identify a particular file associated with the malware score; analyze the particular file for malware; and identify a file that includes malware based on analyzing the particular file for malware, the particular file and the file being a same file. 7. The device of claim 1 , where the one or more processors, when modifying the plurality of malware scores, are to: increment a plurality of malware counters, corresponding to the plurality of files, based on detecting the behavior indicative of malware, the plurality of malware counters being used for the plurality of malware scores. 8. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: identify a group of files for a multi-file malware analysis; execute the group of files concurrently in a testing environment; monitor the testing environment for a behavior indicative of malware; detect, based on monitoring the testing environment, the behavior indicative of malware; modify a group of malware scores, corresponding to the group of files, based on detecting the behavior indicative of malware; determine that two or more malware scores, of the group of malware scores, satisfy a threshold; partition the group of files into two or more segments of files based on determining that the two or more malware scores satisfy the threshold, the two or more segments of files corresponding to the two or more malware scores; analyze the two or more segments of files, separately, for malware; determine that a segment of files, included in the two or more segments of files, includes malware based on analyzing the two or more segments of files; and analyze at least one file, included in the segment of files, for malware based on determining that the segment of files includes malware. 9. The non-transitory computer-readable medium of claim 8 , where the one or more instructions, when executed by the one or more processors, cause the one or more processors to: determine that the segment of files comprises a single file; and where the one or more instructions, that cause the one or more processors to analyze the at least one file, further cause the one or more processors to: analyze the single file for malware based on determining that the segment of files comprises the single file. 10. The non-transitory computer-readable medium of claim 8 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: determine that the segment of files includes multiple files; partition the segment of files into two or more additional segments of files based on determining that the segment of files includes multiple files; analyze the two or more additional segments of files for malware; determine that another segment of files, included in the two or more additional segments of files, includes malware based on analyzing the two or more additional segments of files; and where the one or more instructions, that cause the one or more processors to analyze the at least one file, cause the one or more processors to: analyze the at least one file based on determining that the other segment of files includes malware, the at least one file being included in the other segment of files. 11. The non-transitory computer-readable medium of claim 8 , where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: determine a size for the segment of files based on a likelihood that a file, of the segment of files, includes malware when the segment is the size; and where the one or more instructions, that cause the one or more processors to partition the group of files into two or more segments of files, cause the one or more processors to: form the segment of files having the size. 12. The non-transitory computer-readable medium of claim 8 ,