Part 2: Exploring Static Malware Analysis — Processes, Techniques, and Tools

8 min readMay 2, 2025

In the previous blog, we explored malware, its different types, and the tools that can be used for malware analysis. Now, let’s explore the types of malware analysis in detail, where we will learn and understand the process of the backend when malware runs on the system.

Malware analysis is categorized into two types:

Static Malware Analysis
Dynamic Malware Analysis

Have you ever wondered why we consider “Static Analysis” as the first step in malware analysis? If not, then no worries, we will discuss why static analysis is the first step in malware analysis.

Why Static Analysis is the first step in Malware Analysis?

You’re going shopping, and you buy a bottle of juice. What do you do first — drink it directly or check it first? You prefer to check the expiry date, seal of the bottle, and juice color to make sure it’s safe or not. Or safety. You wouldn’t drink it without checking it, right? Static analysis works the same way- without executing the file, we can examine the file for malicious intent.

You wouldn’t drink juice without checking it to see if it’s safe. Just like that, you can’t directly use dynamic analysis methods to analyze malware. Executing files in the system directly it’s a way of putting your system in danger. Due to this, we choose static analysis as the first step for analysis.

How to Conduct Static Malware Analysis?

Step 1: Identifying File Type:

Identifying the file type is the first and most crucial step in static malware analysis, as it helps analysts assess potential risks and determine the appropriate analysis techniques.

For example:

Executable File: It may contain malicious code designed to run on a system. (e.g., .exe, .dll, .sys)
Script File: It can be used in a fileless attack, executing commands directly in the memory without leaving a traditional malware footprint. (e.g., .py, .js, .ps1)
Document File: This file contains embedded macros or exploits to execute the malicious code. (e.g., .doc, .pdf, .xlsm)

The image below is an example of a file type, where we can identify the sample file type as “Portable Executable 32”

Step 2: Fingerprinting

Malware fingerprinting is the process of identifying unique characteristics of a malware sample.

Key Aspects of Malware Fingerprinting:

File-Based:

Unique file hashes (MD5, SHA-256) that serve as digital signatures.
File type and structure (e.g., executable, script, document).
Embedded resources like icons, certificates, or metadata.

2. Code and Execution Behavior:

Strings and API Calls: Extracting text, URLs, or system functions used by the malware.
Obfuscation & Packing: Whether the malware is encrypted or disguised.
Persistence Methods: How it stays on a system (e.g., registry modifications, scheduled tasks).

3. Network Indicators:

C2 Communication: Identifying IPs, domains, or URLs used to connect with attackers.
Network Traffic Patterns: Unusual requests, encrypted data transfers.

Step 3: Packer Detection

Many malware authors use packers to compress or encrypt their malware, making it harder to analyze. Packers are like tamper-proof packaging that hides the real contents of a file.

Common packers include:

UPX (Ultimate Packer for Executables): Often used for legitimate compression but also for hiding malware

MPRESS, Themida, ASPack: Common in advanced obfuscation techniques.

Step 4: String Extraction

Even though malware is binary data, it often contains readable text strings. Extracting these strings can reveal:

Suspicious URLs — Malware often contacts command-and-control (C2) servers
Registry keys — Used to maintain persistence on a system
Function calls — References to system functions (e.g., CreateProcess, VirtualAlloc)
Hardcoded credentials — Sometimes, attackers leave usernames, passwords, or API keys

Step 5: PE Header Information

When analyzing a Portable Executable (PE) file, the PE header contains crucial metadata that helps determine how the file will execute in a Windows environment. The key components include:

DOS Header (MZ Header)

The first part of a PE file.
Contains a magic number (MZ) to identify it as an executable.
Has a pointer to the PE header.

2. PE Signature

This marks the start of the actual PE file structure.

It includes “PE\0\0” to confirm the file format.

3. File Header (IMAGE_FILE_HEADER)

Stores general information like machine type, number of sections, and the timestamp of when the file was compiled.

4. Optional Header (IMAGE_OPTIONAL_HEADER32/64)

Contains critical execution details, such as:

Entry Point Address — Where execution begins.
Image Base — Preferred memory location for the file.
Section Alignment — How sections are aligned in memory.

5. Section Table (IMAGE_SECTION_HEADER)

Defines different sections of the file, such as:

.text: Contains executable code.
.data: Stores initialized variables.
.rdata: Stores read-only data, including imported functions.
.rsrc: Holds resources like icons and version information.

6. Data Directories (IMAGE_DATA_DIRECTORY)

Contains tables that help Windows manage execution, including:

Import Table: Lists functions that the program imports from DLLs.
Export Table: If the file is a DLL, this lists the functions it provides.
Relocation Table: Adjusts addresses if the file loads at a different memory location.

Step 6: Classification

We can identify and classify malware based on its unique patterns or indicators. Malware families often share similar characteristics:

Code structures
Behavior patterns
API calls
String references

By analysing these indicators, we can identify whether a malware sample is part of a recognized malware family, such as:

Ransomware (e.g., WannaCry, LockBit)
Trojan (e.g., Emotet, TrickBot)
Infostealer (e.g., RedLine, AgentTesla)

Step 7: Detection Rule Creation

Once the malware is classified, analysts create detection rules to identify it in the future. These rules help security tools (like EDRs, SIEMs, and antivirus software) detect similar threats. The most common detection rule formats include:

YARA Rules — Custom rules for identifying malware based on unique patterns
Snort/Suricata Rules — Used for network-based detection
Sigma Rules — Applied to log-based detection

You are receiving a mystery box sealed tightly with layers of wrapping. You don’t know what’s inside until you remove the wrapping. Malware developers employ a similar technique, known as packing, which involves wrapping malicious code inside an altered file structure, making it more difficult to detect. Unpacking is the process of peeling away these layers to reveal the original executable.

What is Packing and Unpacking?

Packing is like compressing or disguising a program to make it smaller, harder to analyze, and more difficult for security tools to detect. Attackers often use it to hide malware from antivirus software.

Unpacking is the process of reversing this transformation to reveal the original code. Security analysts unpack malware to study its behavior and determine how it works.

Think of it like zipping a file to make it compact and then unzipping it to access its contents. In the case of malware, unpacking helps analysts expose hidden threats.

The image displayed above shows the file structure of a Windows executable file before and after packing.

What Does Packing Do?

Packing changes the structure of an executable file using a special algorithm. This technique has several benefits:

Reduces File Size: Makes the file smaller for efficiency.
Prevents Easy Analysis: Obscures the code to make reverse engineering difficult.
Evasion from Security Tools: Helps malware avoid detection by antivirus software.

How Does Unpacking Work?

When a packed file runs, it follows a specific sequence of steps to unpack itself and execute properly. The process works like this:

The process in the image above is briefly explained as follows:

1. Starting Point: When the packed file runs, it begins execution at a specific location (the entry point). However, instead of directly running the original code, it points to the unpacking mechanism.

2. Unpacking Begins: The built-in unpacker starts working on the packed executable to restore its original form.

3. Writing Back the Original Code: Once unpacking is done, the original executable is placed into memory in an empty section.

4. Shifting Control: Now that the original file is restored, control is handed over to it.

5. Execution Resumes Normally: The original program runs as if it were never packed in the first place.

Static Malware Analysis Tools:

File Identification & Hashing:
These tools determine the file type, structure, and hash values, which help in recognizing known malware.
A. File: Indicates the type of file based on headers and metadata. Knowing the file type, you can get an idea of how malware might behave.
B. MD5sum / SHA256sum: Generates unique fingerprints for a file, which can help to check if it has been seen before in a malware database.
C. Pefile: Portable Executable (PE) files are a critical format used for executables, object code, and DLLs in Windows operating systems, making them a primary target for malware analysis. Static malware analysis involves examining a malware program/file without execution, which is the safest way to analyze malware without infecting your system
Strings & Metadata Extraction:
Extracting readable text from a file can reveal valuable clues about malware behavior.
A. Strings: Strings can help in malware analysis by providing clues about the program’s functionality and potential indicators of compromise. It reveals URLs that the malware might use to communicate with command and control servers or to download additional components.
B. FLOSS: FLOSS Obfuscated String Solver is an open-source tool designed to identify and extract obfuscated strings from malware automatically. It uses advanced static analysis techniques that can help identify indicators of compromise (IOCs).
C. ExifTool: It is a free and open-source software program. It helps to extract hidden information from files, especially images and documents.
Packer & Obfuscation Detection:
Many malware samples use packers to hide their real code. These tools detect and sometimes unpack them.
A. Detect It Easy (DIE): Identifies the file. If a file is packed and what packer or compiler was used?
B. PEiD: Checks and recognizes the packers, cryptors, and compliers that malware might use to stay hidden.
C. UPX: A packing tool that some malware uses to shrink or hide itself. Fun fact is that UPX also works in reverse to unpack files!
PE File & Header Analysis: These tools analyze Windows PE file structure, helping detect suspicious imports, exports, and headers.
A. PE-Bear: This tool helps to manually check and inspect PE files. It can also help to modify PE files.
B. PEStudio: The PEStudio tool helps in static analysis. It investigates any Windows executable binary.
C. CFF Explorer: This tool is designed for analyzing and editing Portable Executable (PE) files.
Disassembly & Reverse Engineering: These tools break down malware into assembly code, allowing analysts to understand its behavior without executing it.
A. IDA Free: This tool converts binary code into assembly language, making it easy to analyze.
B. Ghidra: It’s a reverse engineering tool for malware analysis. We all know this tool is used for dynamic analysis, but it also helps in static analysis to decompile and disassemble code and allows analysts to understand the malware without executing the file.
C. Radare2: It’s an open-source tool for binary analysis, debugging, and reverse engineering.