Static Malware Analysis

Static analysis examines malware without execution. Safe and fast, static analysis reveals structure, indicators, and sometimes functionality.

File Identification

File hashes - Calculate MD5, SHA1, SHA256 for identification.

• Check VirusTotal and other databases


• Enable detection across the environment

File type confirmation - Extension does not equal type. Use file signature identification.

Packing detection - Packed files require unpacking before analysis. Tools like Detect It Easy identify common packers.

String Extraction

Strings reveal malware intent:

• URLs and IP addresses


• Domain names


• Registry keys


• File paths


• Error messages


• Command structures

strings malware.exe | more

Encoded or packed malware hides strings. Unpack or analyze dynamically if static extraction yields little.

PE Analysis

For Windows executables:

Headers - Compilation timestamp, sections, characteristics.

Imports - What functions does it use?

• Network functions suggest C2 capability


• Registry functions suggest persistence


• Crypto functions suggest encryption


• Process functions suggest injection

Exports - What does it offer to other programs?

Resources - Embedded files, icons, version information.

Tools: PE Studio, CFF Explorer, pestudio

Document Analysis

Office documents require different approaches:

Embedded macros - Extract and analyze VBA code.

OLE streams - Look for embedded executables or scripts.

DDE links - May execute commands without macros.

Tools: oletools, oledump.py

Indicator Extraction

Document findings for detection:

• File hashes


• Network indicators (IPs, domains, URLs)


• Registry paths for persistence


• Mutex names for deduplication


• File paths for staging

Format indicators for consumption by security tools. Share with threat intelligence platforms.

Documentation

Record analysis process:

• Sample identification (hashes)


• Analysis techniques used


• Findings with evidence


• Extracted indicators


• Assessment of threat