Complete malware analysis is often limited by real-world circumstances.
Many of the trojans that we analyze will attempt to connect to a remote server for further instructions. At this point, we know that the software is not legitimate and should be blocked from installation on our customer's computers. We don't really need to examine it any further (and often times, the server is offline). But just what would that trojan do if it only had access to its remote master?
We use automation to test malware in an isolated network. We don't generally test malware with a real Internet connection because we want to limit possible exposure to the rest of the world's netizens. But every now and then something catches our interest and we'll perform a manual test.