Updated on February 8, 2026
When you're handed a suspicious file during an incident response or threat hunting engagement, your first instinct shouldn't be to execute it. That's where static malware analysis comes in - examining the file without running it to extract maximum intelligence while keeping your analysis environment safe.
Static analysis is the foundation of malware analysis. It's fast, safe, and reveals a ton about the malware's capabilities, origins, and potential impact before you ever spin up a sandbox. In most scenarios, you can identify the malware family, extract IOCs, and understand the attack chain purely through static techniques. To understand how threats enter your system in the first place, reviewing the Initial Access Tactic (TA0001) is essential for context.
In this article, I'll walk you through the complete static analysis process I use in real-world engagements - from basic file identification to advanced disassembly and deobfuscation. We'll cover every tool and technique you need to thoroughly analyze malicious files without executing a single byte of code.
Note: This is Part 1 of the series. For dynamic behavior analysis, keep an eye out for Part 2 (Coming Soon). Before analyzing malware samples, ensure you're working in an isolated environment. Never analyze malicious files on production systems or personal machines.
Prerequisites
Before diving in, set up your analysis toolkit:
# Essential identification tools
apt install file exiftool python3-magic -y
# Hash calculation
apt install md5deep -y
# String extraction
apt install binutils strings -y
pip install flare-floss
# PE analysis tools
wget https://github.com/hasherezade/pe-bear/releases/latest/download/PE-bear_x64.zip
apt install pev -y
# Disassemblers
# IDA Free: https://hex-rays.com/ida-free/
# Ghidra: https://ghidra-sre.org/
apt install radare2 -y
# .NET analysis
apt install mono-complete -y
wget https://github.com/dnSpy/dnSpy/releases/latest/download/dnSpy-net-win64.zip
# Hex editors
apt install hexedit xxd -yAnalysis Environment:
- Isolated VM (no network unless needed)
- Windows and Linux VMs recommended
- Snapshot capability for quick resets
- 4GB+ RAM for disassemblers
Initial Information Gathering
File Identification
Start with basic file type identification. Never trust file extensions - malware often masquerades as legitimate file types. If you determine the file is a document rather than an executable, refer to our specific guide on Analyzing Malicious Office Documents.
# Identify file type
file suspicious.exe
# Detailed magic bytes
file -i suspicious.exe
# Alternative identifier
trid suspicious.exe# Extract file metadata
exiftool suspicious.exe
# PE-specific metadata
peres suspicious.exeThe metadata reveals compilation timestamps (often faked), original filenames, product names, and digital signatures. Look for inconsistencies like a "calculator.exe" claiming to be Microsoft Word.
Hash Calculation
Generate multiple hash types for threat intelligence lookups:
# MD5 hash
md5sum suspicious.exe
# SHA-256 hash
sha256sum suspicious.exe
# SHA-1 hash
sha1sum suspicious.exe
# Fuzzy hashing (similarity)
ssdeep suspicious.exe
# All hashes at once
rhash --all suspicious.exeSearch these hashes on VirusTotal, MalwareBazaar, and threat intel platforms. Fuzzy hashes (ssdeep) help identify malware variants and families even when the binary is slightly modified.
Strings reveal URLs, IP addresses, file paths, registry keys, and hardcoded credentials:
# Basic ASCII strings
strings suspicious.exe
# With minimum length filter
strings -n 8 suspicious.exe
# Unicode strings
strings -e l suspicious.exe
# Combine ASCII and Unicode
strings -a -e l suspicious.exe > strings.txtFor obfuscated malware, use FLOSS (FLARE Obfuscated String Solver):
# FLOSS - extracts obfuscated strings
floss suspicious.exe
# With stack strings
floss -n 6 suspicious.exe
# Output to file
floss suspicious.exe -o floss_output.txtFLOSS automatically deobfuscates stack strings and encrypted strings that basic strings misses. Look for:
- IP addresses and domains
- User-agent strings
- File paths and registry keys
- API function names
- Command and control (C2) URLs
- Hardcoded credentials or encryption keys
Basic Static Analysis
PE File Analysis
For Windows executables, analyze the Portable Executable (PE) structure. This reveals imports, exports, resources, and compilation details.
Using PE-bear (GUI):
# Launch PE-bear
./PE-bear_x64/PE-bear.exe suspicious.exePE-bear shows:
- DOS/NT headers
- Section information (.text, .data, .rsrc)
- Import Address Table (IAT)
- Export functions
- Resources (icons, dialogs, embedded files)
- Digital signatures
Using PEStudio (Windows):
Download from https://winitor.com and analyze indicators automatically. PEStudio flags suspicious imports, entropy anomalies, and known malicious signatures.
Using pev (Linux CLI):
# PE header info
readpe suspicious.exe
# Section information
pesec suspicious.exe
# Imports (what APIs it uses)
pedis suspicious.exe
# Exports
pestr suspicious.exe
# Resource information
pepack suspicious.exeUsing Detect It Easy:
# Identify packers and compilers
diec suspicious.exeImport Analysis
Imports reveal the malware's capabilities:
# List imported DLLs and functions
objdump -p suspicious.exe | grep DLL
# Better formatting
peframe suspicious.exeSuspicious imports to watch for:
- Networking: WinInet.dll, ws2_32.dll (InternetOpenA, HttpSendRequest, socket, connect)
- Process manipulation: kernel32.dll (CreateProcess, VirtualAlloc, WriteProcessMemory)
- Keylogging: user32.dll (SetWindowsHookEx, GetAsyncKeyState)
- Persistence: advapi32.dll (RegSetValueEx, CreateService)
- Cryptography: advapi32.dll (CryptEncrypt, CryptDecrypt)
Section Analysis
PE sections tell you about the executable's structure:
# Section headers
objdump -h suspicious.exe
# Detailed section info with entropy
peframe suspicious.exeAnalyze:
- High entropy sections: Indicates packing/encryption (entropy > 7.0)
- Unusual section names:
.packed,.upx,.aspack - Large .rsrc section: May contain embedded payloads
- Writable .text section: Self-modifying code
- Executable .data section: Shellcode injection
Packer Detection
Packed malware compresses or encrypts itself to evade signature detection:
# Detect It Easy
diec -d suspicious.exe
# PEiD signatures
peid suspicious.exe
# Entropy analysis
peframe suspicious.exe | grep EntropyCommon packers:
- UPX, ASPack, PECompact (legitimate)
- Themida, VMProtect (anti-reversing)
- Custom packers (malware-specific)
For packed files, you'll need to unpack before deeper analysis. Some automated unpackers:
# UPX unpacker
upx -d suspicious.exe -o unpacked.exe
# Universal unpacker (limited)
unipacker suspicious.exe.NET Analysis
For .NET malware, use specialized tools:
# dnSpy (Windows GUI)
dnSpy.exe suspicious.exe
# ILSpy (cross-platform)
ilspycmd suspicious.exe
# CLI decompiler
ildasm suspicious.exe /out=suspicious.il.NET malware is often easier to reverse since IL (Intermediate Language) is higher-level than native assembly. You can often read the actual source code logic.
Advanced Static Analysis
Disassembly
Now we dig into the actual machine code. Disassemblers convert binary to assembly language.
Using Ghidra (Free, Powerful):
# Launch Ghidra
ghidraRun
# Create project → Import file → Auto-analyzeGhidra's decompiler produces pseudo-C code from assembly, making analysis much faster. Focus on:
- Entry point and main function
- String references
- API calls
- Control flow (conditionals, loops)
- Encryption/decryption routines
Using IDA Free:
# Open file in IDA
ida64 suspicious.exeIDA's cross-references (Xrefs) help you trace how functions and strings are used throughout the binary.
Using radare2 (CLI):
# Open file
r2 suspicious.exe
# Analyze all
aa
# List functions
afl
# Disassemble main
pdf @main
# Find strings
iz
# Cross-references
axt @addressRadare2 is powerful but has a steep learning curve. Use it when you need scriptable analysis or Linux-only environments.
Control Flow Analysis
Map out the execution flow:
# Generate control flow graph in Ghidra
# Graph → Generate Graph (Ctrl+Alt+G)
# In radare2
agf > cfg.dot
dot -Tpng cfg.dot -o cfg.pngLook for:
- Anti-debugging checks
- Anti-VM detection
- Conditional C2 connections
- Malware payload decryption routines
Deobfuscation Techniques
Malware uses obfuscation to hide strings and logic. Common techniques:
1. XOR Encryption:
# Look for XOR patterns in Ghidra/IDA
# Search for: xor reg, constant2. Base64 Encoding:
# Extract and decode
strings suspicious.exe | grep -E '^[A-Za-z0-9+/=]{20,}$' | base64 -d
# FLOSS already does this
floss suspicious.exe3. Stack Strings:
Characters pushed onto stack to build strings at runtime. FLOSS extracts these automatically.
4. API Hashing:
Malware resolves API functions by hash instead of name. Look for hash calculation routines in disassembly.
Resource Analysis
Executables can embed files in their resources:
# Extract resources
wrestool -x suspicious.exe -o resources/
# List resources
wrestool -l suspicious.exe
# Resource entropy
peframe suspicious.exeCheck for:
- Embedded DLLs, EXEs
- Configuration files
- Encrypted payloads
- Legitimate-looking icons (social engineering)
Code Signature Analysis
Verify digital signatures:
# Windows
sigcheck -a suspicious.exe
# Linux (osslsigncode)
osslsigncode verify suspicious.exe
# Check certificate details
openssl x509 -in cert.pem -text -nooutLook for:
- Expired certificates
- Self-signed certificates
- Certificates issued to suspicious entities
- Revoked certificates
Legitimate software should have valid signatures from known publishers.
Compile all indicators for threat hunting and detection. If you are working on a purple team, understanding how to handle these traces is critical; see our reference on Indicator Removal on Linux (T1070) for the flip side of this process.
Network IOCs:
- IP addresses (grep for regex patterns)
- Domain names
- URLs
- Email addresses
Host IOCs:
- File paths
- Registry keys
- Mutex names
- Service names
- Scheduled task names
Cryptographic IOCs:
- File hashes (MD5, SHA-256)
- Mutexes for infection markers
- Certificate thumbprints
# Extract potential IPs
strings suspicious.exe | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"
# Extract URLs
strings suspicious.exe | grep -oE "(http|https|ftp)://[a-zA-Z0-9./?=_-]*"
# Extract registry keys
strings suspicious.exe | grep -i "HKEY"
# Extract file paths
strings suspicious.exe | grep -E "C:\\\\|\\\\Program Files"Create a structured IOC report for your SIEM, EDR, or threat intel platform.
Detection Perspective
From a defensive standpoint, static analysis helps you:
1. Build Detection Rules:
# YARA rule example
rule Malware_IOCs {
strings:
$url = "http://malicious-c2.com"
$mutex = "Malware_Mutex_2024"
condition:
any of them
}2. Improve Security Controls:
- Block identified C2 domains/IPs at firewall
- Add file hashes to blacklist
- Monitor for suspicious API call patterns
- Alert on high-entropy PE files
3. Threat Intelligence:
- Share IOCs with community
- Update threat intel feeds
- Correlate with other campaigns
- Attribute to threat actors
Key Takeaways
Static analysis provides:
- Safe initial assessment - No malware execution
- Quick triage - Identify file type and family
- IOC extraction - Domains, IPs, file paths
- Capability understanding - What can the malware do?
- Preparation for dynamic analysis - Know what to look for
Limitations:
- Can't analyze runtime behavior
- Packers/obfuscation complicate analysis
- Anti-analysis tricks may hide capabilities
- No network traffic observation
That's where Part 2 comes in. Once you've extracted everything possible through static analysis, you'll move to dynamic analysis - actually executing the malware in a controlled sandbox to observe its real-world behavior, network connections, and complete attack chain.
For more on building your malware analysis lab, check out related resources on setting up isolated analysis environments.
Enjoyed this guide? Share your thoughts below and tell us how you leverage Static Malware Analysis in your projects!