Indicators that the sample might be packed:
- Look for strings that might have the packer name in it
- The sample only contains a few readable strings
- The sample has very few imports and function names that you recognize
Run it through Bytehist. If it’s packed, the distribution of bytes will be more even. (think like how an encrypted file will have the same amount of all characters, whereas clear-text will be subject to frequency analysis)
Scan it with pescanner.py. This can calculate the entropy of the different sections of the file. (Entropy is how random the distribution of characters are, high means more random). If the entropy is high, then it might have been packed.
python pescanner.py sample.exe
Load your sample into Detect It Easy and Exeinfo PE, they’ll auto detect the packer.