Static Analysis

Overview

Static analysis examines a malware sample without executing it — identifying file types, extracting strings and metadata, analyzing imports and exports, inspecting PE/ELF headers, and detecting packers or obfuscation. Static analysis is the first phase of any malware investigation and provides initial indicators of compromise (IOCs) and behavioral hypotheses.

Topics in This Section

• File Identification & Triage — file type detection, hashing, fuzzy hashing, metadata extraction, and initial triage
• PE File Analysis — Windows PE header analysis, sections, imports/exports, resources, and anomaly detection
• ELF File Analysis — Linux ELF header analysis, sections, symbols, and dynamic linking
• Strings & Import Analysis — extracting readable strings, analyzing API imports, and identifying capabilities
• Packer Detection & Unpacking — detecting packed or obfuscated binaries and unpacking techniques

General Approach

1. Identify — determine file type, architecture, and format
2. Hash — compute MD5/SHA-256/ssdeep for IOC sharing and VirusTotal lookup
3. Triage — quick metadata scan to determine if the sample warrants deeper analysis
4. Analyze headers — inspect PE/ELF structures for anomalies
5. Extract strings — look for URLs, IPs, commands, registry keys, file paths
6. Review imports — identify suspicious API calls that reveal capabilities
7. Check for packing — detect and unpack if necessary before deeper analysis