Member-only story
Methodology for Malware Static analysis (1): Portable Executable (PE) files
Malware analysis determines if a program/file is malicious. There are two phases in malware analysis.
Obtain malware sample:
There’s a number of online resources you can get malware samples from
- Online courses: Most online courses provide links to the malware files used for demos in the course for the benefit of students who wish to follow the instructor.
- Online repositories: A quick google search will return some results for the popular repos to get samples from, however, I have gotten samples from some of the following:
- https://github.com/Virus-Samples/Malware-Sample-Sources; https://zeltser.com/malware-sample-sources/
Please remember that these are live and dangerous malware!
Do NOT run them unless you are absolutely sure of what you are doing!
They are to be used only for educational purposes only in a controlled and segmented sandbox environment!!!
What is static malware analysis?
Static analysis examines a malware program/file without execution. This provides the safest way to analyse malware without infecting your system. Static analysis extracts information from malware without viewing the code. Metadata such as libraries, file type, resources, and strings can yield clues about the nature of the malware. Hashes — MD5, SHA-1, SHA-256 — can be researched in OSINT to determine if the malware has been previously analysed or identified by antivirus engines. In this post, I’ll share my methodology (alongside popular tools) for static analysis.
Some questions to ask during static analysis:
- Is this file malicious?
- What type of file is this?
- Has anyone already analysed this file?
- What can be identified in the embedded strings?
- Is this file packed or unpacked?
- What can be identified in the PE header of the file?
