Malware Static Analysis

Last modified: 2023-05-17


Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.

Dump Contents

strings example.exe
objdump example.exe

Reverse Engieering


# Cutter is a reverse engineering software powered by Rizin
cutter example.exe



It identifies capabilities in executable files.

capa ./executable

If you found the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.

upx -d ./executable
# Delete the cache of capa
del ./executable.viv
capa <suspicious-executable>

Micrsoft OLE Files

# Check 'M' in the result of the oledump. It indicates the stream contains macro.
oledump example.doc
# -i: Print extra info
oledump -i example.doc
# -s a: Select item (stream) in nr for dumping (a for all)
# -v: Decompress VBA expressions
oledump -s a -v example.doc
olefile example.doc
oleid example.doc
olemeta example.doc
oleobj example.doc
oletimes example.doc
olevba example.doc
# --deobf: Deobfuscate VBA expressions.
# --decode: Display all the obfuscated strings with their decoded content.
olevba --deobf --decode example.doc

Shellcode Analysis

scdbg is available for finding shellcode in Windows executables.

scdbg -f
scdbg -f -fopen bad.doc_ -s -1 -i
scdbg -f shellcode.doc -s -1