How to do static properties analysis of malware

This is the first step of manually analysing a malware sample. You will want to determine if it is in fact malware and warrants more scrutiny, and if so, how bad is it and how can we detect and what can it do.

You will want to check for:

  • Strings
  • Imports and exports
  • References to cryptography
  • Any embedded resources
  • Indicators of packers being used
  • Certificates used

For strings you want to be looking for hostnames, filenames, registry keys, IP addresses, HTTP verbs etc. See for more details.

PEStudio for Windows should be your first stop when looking for static properties. Just drag the sample into it, and it’ll analyse it. PEStudio will show you:

  • Imports
    • This shows you what Windows API features are included, such as networking and crypto, and gives a hint of what the sample can do
  • Indicators
    • A bunch of automated checks for features that may or may not indicate malicious intent
  • Sections
    • Windows executables are supposed to have sections like .text .rdata .data etc. But if you see something like UPX1 as the name of a section, it could indicate the use of a packer

peframe and are Linux alternatives to PEStudio that will show most, if not all, of the same things. So does Portex, which also includes descriptions of what the various imports are used for. Run them as so:

pescanner sample.exe

peframe sample.exe

portex sample.exe

DIE (Detect It Easy) and Exeinfo PE attempt to automatically detect packers. Just drag the sample onto them.