What is static malware analysis?

Static malware analysis is the process of examining a suspicious file's code and properties without executing it, allowing analysts to identify capabilities and IOCs safely.

What tools are used for static analysis?

Common tools include strings, FLOSS, PE-bear, Ghidra, IDA Free, and Radare2 for examining file metadata, extracting strings, and disassembling code.

Why is string extraction important in malware analysis?

String extraction reveals readable text within the binary, such as IP addresses, URLs, file paths, and registry keys, which serve as immediate Indicators of Compromise (IOCs).

What is the difference between static and dynamic analysis?

Static analysis examines the file's structure and code without running it, while dynamic analysis involves executing the malware in a controlled sandbox to observe its real-time behavior and network traffic.

Static Malware Analysis: Analyzing Malicious Files (Part 1)

Updated on February 8, 2026

Table of Contents

Prerequisites
Initial Information Gathering
Basic Static Analysis
Advanced Static Analysis
IOC Extraction
Detection Perspective
Key Takeaways

When you're handed a suspicious file during an incident response or threat hunting engagement, your first instinct shouldn't be to execute it. That's where static malware analysis comes in - examining the file without running it to extract maximum intelligence while keeping your analysis environment safe.

Static analysis is the foundation of malware analysis. It's fast, safe, and reveals a ton about the malware's capabilities, origins, and potential impact before you ever spin up a sandbox. In most scenarios, you can identify the malware family, extract IOCs, and understand the attack chain purely through static techniques. To understand how threats enter your system in the first place, reviewing the Initial Access Tactic (TA0001) is essential for context.

In this article, I'll walk you through the complete static analysis process I use in real-world engagements - from basic file identification to advanced disassembly and deobfuscation. We'll cover every tool and technique you need to thoroughly analyze malicious files without executing a single byte of code.

Note: This is Part 1 of the series. For dynamic behavior analysis, keep an eye out for Part 2 (Coming Soon). Before analyzing malware samples, ensure you're working in an isolated environment. Never analyze malicious files on production systems or personal machines.

Static-Malware-Analysis--Analyzing-Malicious-Files

Prerequisites

Before diving in, set up your analysis toolkit:

# Essential identification tools
apt install file exiftool python3-magic -y

# Hash calculation
apt install md5deep -y

# String extraction
apt install binutils strings -y
pip install flare-floss

# PE analysis tools
wget https://github.com/hasherezade/pe-bear/releases/latest/download/PE-bear_x64.zip
apt install pev -y

# Disassemblers
# IDA Free: https://hex-rays.com/ida-free/
# Ghidra: https://ghidra-sre.org/
apt install radare2 -y

# .NET analysis
apt install mono-complete -y
wget https://github.com/dnSpy/dnSpy/releases/latest/download/dnSpy-net-win64.zip

# Hex editors
apt install hexedit xxd -y

Analysis Environment:

Isolated VM (no network unless needed)
Windows and Linux VMs recommended
Snapshot capability for quick resets
4GB+ RAM for disassemblers

Initial Information Gathering

File Identification

Start with basic file type identification. Never trust file extensions - malware often masquerades as legitimate file types. If you determine the file is a document rather than an executable, refer to our specific guide on Analyzing Malicious Office Documents.

# Identify file type
file suspicious.exe

# Detailed magic bytes
file -i suspicious.exe

# Alternative identifier
trid suspicious.exe

# Extract file metadata
exiftool suspicious.exe

# PE-specific metadata
peres suspicious.exe

The metadata reveals compilation timestamps (often faked), original filenames, product names, and digital signatures. Look for inconsistencies like a "calculator.exe" claiming to be Microsoft Word.

Hash Calculation

Generate multiple hash types for threat intelligence lookups:

# MD5 hash
md5sum suspicious.exe

# SHA-256 hash
sha256sum suspicious.exe

# SHA-1 hash
sha1sum suspicious.exe

# Fuzzy hashing (similarity)
ssdeep suspicious.exe

# All hashes at once
rhash --all suspicious.exe

Search these hashes on VirusTotal, MalwareBazaar, and threat intel platforms. Fuzzy hashes (ssdeep) help identify malware variants and families even when the binary is slightly modified.

String Extraction

Strings reveal URLs, IP addresses, file paths, registry keys, and hardcoded credentials:

# Basic ASCII strings
strings suspicious.exe

# With minimum length filter
strings -n 8 suspicious.exe

# Unicode strings
strings -e l suspicious.exe

# Combine ASCII and Unicode
strings -a -e l suspicious.exe > strings.txt

For obfuscated malware, use FLOSS (FLARE Obfuscated String Solver):

# FLOSS - extracts obfuscated strings
floss suspicious.exe

# With stack strings
floss -n 6 suspicious.exe

# Output to file
floss suspicious.exe -o floss_output.txt

FLOSS automatically deobfuscates stack strings and encrypted strings that basic strings misses. Look for:

IP addresses and domains
User-agent strings
File paths and registry keys
API function names
Command and control (C2) URLs
Hardcoded credentials or encryption keys

Basic Static Analysis

PE File Analysis

For Windows executables, analyze the Portable Executable (PE) structure. This reveals imports, exports, resources, and compilation details.

Using PE-bear (GUI):

# Launch PE-bear
./PE-bear_x64/PE-bear.exe suspicious.exe

PE-bear shows:

DOS/NT headers
Section information (.text, .data, .rsrc)
Import Address Table (IAT)
Export functions
Resources (icons, dialogs, embedded files)
Digital signatures

Using PEStudio (Windows):
Download from https://winitor.com and analyze indicators automatically. PEStudio flags suspicious imports, entropy anomalies, and known malicious signatures.

Using pev (Linux CLI):

# PE header info
readpe suspicious.exe

# Section information
pesec suspicious.exe

# Imports (what APIs it uses)
pedis suspicious.exe

# Exports
pestr suspicious.exe

# Resource information
pepack suspicious.exe

Using Detect It Easy:

# Identify packers and compilers
diec suspicious.exe

Import Analysis

Imports reveal the malware's capabilities:

# List imported DLLs and functions
objdump -p suspicious.exe | grep DLL

# Better formatting
peframe suspicious.exe

Suspicious imports to watch for:

Networking: WinInet.dll, ws2_32.dll (InternetOpenA, HttpSendRequest, socket, connect)
Process manipulation: kernel32.dll (CreateProcess, VirtualAlloc, WriteProcessMemory)
Keylogging: user32.dll (SetWindowsHookEx, GetAsyncKeyState)
Persistence: advapi32.dll (RegSetValueEx, CreateService)
Cryptography: advapi32.dll (CryptEncrypt, CryptDecrypt)

Section Analysis

PE sections tell you about the executable's structure:

# Section headers
objdump -h suspicious.exe

# Detailed section info with entropy
peframe suspicious.exe

Analyze:

High entropy sections: Indicates packing/encryption (entropy > 7.0)
Unusual section names: .packed, .upx, .aspack
Large .rsrc section: May contain embedded payloads
Writable .text section: Self-modifying code
Executable .data section: Shellcode injection

Packer Detection

Packed malware compresses or encrypts itself to evade signature detection:

# Detect It Easy
diec -d suspicious.exe

# PEiD signatures
peid suspicious.exe

# Entropy analysis
peframe suspicious.exe | grep Entropy

Common packers:

UPX, ASPack, PECompact (legitimate)
Themida, VMProtect (anti-reversing)
Custom packers (malware-specific)

For packed files, you'll need to unpack before deeper analysis. Some automated unpackers:

# UPX unpacker
upx -d suspicious.exe -o unpacked.exe

# Universal unpacker (limited)
unipacker suspicious.exe

.NET Analysis

For .NET malware, use specialized tools:

# dnSpy (Windows GUI)
dnSpy.exe suspicious.exe

# ILSpy (cross-platform)
ilspycmd suspicious.exe

# CLI decompiler
ildasm suspicious.exe /out=suspicious.il

.NET malware is often easier to reverse since IL (Intermediate Language) is higher-level than native assembly. You can often read the actual source code logic.

Advanced Static Analysis

Disassembly

Now we dig into the actual machine code. Disassemblers convert binary to assembly language.

Using Ghidra (Free, Powerful):

# Launch Ghidra
ghidraRun

# Create project → Import file → Auto-analyze

Ghidra's decompiler produces pseudo-C code from assembly, making analysis much faster. Focus on:

Entry point and main function
String references
API calls
Control flow (conditionals, loops)
Encryption/decryption routines

Using IDA Free:

# Open file in IDA
ida64 suspicious.exe

IDA's cross-references (Xrefs) help you trace how functions and strings are used throughout the binary.

Using radare2 (CLI):

# Open file
r2 suspicious.exe

# Analyze all
aa

# List functions
afl

# Disassemble main
pdf @main

# Find strings
iz

# Cross-references
axt @address

Radare2 is powerful but has a steep learning curve. Use it when you need scriptable analysis or Linux-only environments.

Control Flow Analysis

Map out the execution flow:

# Generate control flow graph in Ghidra
# Graph → Generate Graph (Ctrl+Alt+G)

# In radare2
agf > cfg.dot
dot -Tpng cfg.dot -o cfg.png

Look for:

Anti-debugging checks
Anti-VM detection
Conditional C2 connections
Malware payload decryption routines

Deobfuscation Techniques

Malware uses obfuscation to hide strings and logic. Common techniques:

1. XOR Encryption:

# Look for XOR patterns in Ghidra/IDA
# Search for: xor reg, constant

2. Base64 Encoding:

# Extract and decode
strings suspicious.exe | grep -E '^[A-Za-z0-9+/=]{20,}$' | base64 -d

# FLOSS already does this
floss suspicious.exe

3. Stack Strings:
Characters pushed onto stack to build strings at runtime. FLOSS extracts these automatically.

4. API Hashing:
Malware resolves API functions by hash instead of name. Look for hash calculation routines in disassembly.

Resource Analysis

Executables can embed files in their resources:

# Extract resources
wrestool -x suspicious.exe -o resources/

# List resources
wrestool -l suspicious.exe

# Resource entropy
peframe suspicious.exe

Check for:

Embedded DLLs, EXEs
Configuration files
Encrypted payloads
Legitimate-looking icons (social engineering)

Code Signature Analysis

Verify digital signatures:

# Windows
sigcheck -a suspicious.exe

# Linux (osslsigncode)
osslsigncode verify suspicious.exe

# Check certificate details
openssl x509 -in cert.pem -text -noout

Look for:

Expired certificates
Self-signed certificates
Certificates issued to suspicious entities
Revoked certificates

Legitimate software should have valid signatures from known publishers.

IOC Extraction

Compile all indicators for threat hunting and detection. If you are working on a purple team, understanding how to handle these traces is critical; see our reference on Indicator Removal on Linux (T1070) for the flip side of this process.

Network IOCs:

IP addresses (grep for regex patterns)
Domain names
URLs
Email addresses

Host IOCs:

File paths
Registry keys
Mutex names
Service names
Scheduled task names

Cryptographic IOCs:

File hashes (MD5, SHA-256)
Mutexes for infection markers
Certificate thumbprints

# Extract potential IPs
strings suspicious.exe | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"

# Extract URLs
strings suspicious.exe | grep -oE "(http|https|ftp)://[a-zA-Z0-9./?=_-]*"

# Extract registry keys
strings suspicious.exe | grep -i "HKEY"

# Extract file paths
strings suspicious.exe | grep -E "C:\\\\|\\\\Program Files"

Create a structured IOC report for your SIEM, EDR, or threat intel platform.

Detection Perspective

From a defensive standpoint, static analysis helps you:

1. Build Detection Rules:

# YARA rule example
rule Malware_IOCs {
    strings:
        $url = "http://malicious-c2.com"
        $mutex = "Malware_Mutex_2024"
    condition:
        any of them
}

2. Improve Security Controls:

Block identified C2 domains/IPs at firewall
Add file hashes to blacklist
Monitor for suspicious API call patterns
Alert on high-entropy PE files

3. Threat Intelligence:

Share IOCs with community
Update threat intel feeds
Correlate with other campaigns
Attribute to threat actors

Key Takeaways

Static analysis provides:

Safe initial assessment - No malware execution
Quick triage - Identify file type and family
IOC extraction - Domains, IPs, file paths
Capability understanding - What can the malware do?
Preparation for dynamic analysis - Know what to look for

Limitations:

Can't analyze runtime behavior
Packers/obfuscation complicate analysis
Anti-analysis tricks may hide capabilities
No network traffic observation

That's where Part 2 comes in. Once you've extracted everything possible through static analysis, you'll move to dynamic analysis - actually executing the malware in a controlled sandbox to observe its real-world behavior, network connections, and complete attack chain.

For more on building your malware analysis lab, check out related resources on setting up isolated analysis environments.

Enjoyed this guide? Share your thoughts below and tell us how you leverage Static Malware Analysis in your projects!

Static Malware Analysis, Malware Analysis, Reverse Engineering, Cybersecurity, Incident Response, Threat Hunting, IOC Extraction, Security Tools