How to detect if malware is packed

Indicators that the sample might be packed:

  • Look for strings that might have the packer name in it
  • The sample only contains a few readable strings
  • The sample has very few imports and function names that you recognize

Run it through Bytehist. If it’s packed, the distribution of bytes will be more even. (think like how an encrypted file will have the same amount of all characters, whereas clear-text will be subject to frequency analysis)

Scan it with This can calculate the entropy of the different sections of the file. (Entropy is how random the distribution of characters are, high means more random). If the entropy is high, then it might have been packed.

python sample.exe

Load your sample into Detect It Easy and Exeinfo PE, they’ll auto detect the packer.