Malware Static Analysis

Last modified: 2023-05-17

Malware

Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.

Dump Contents

strings example.exe
objdump example.exe

Detect It Easy

It determines types of files.

Reverse Engieering

ghidra

# Cutter is a reverse engineering software powered by Rizin
cutter example.exe

Capabilities

CAPA

It identifies capabilities in executable files.

capa ./executable

If you found the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.

upx -d ./executable
# Delete the cache of capa
del ./executable.viv
capa <suspicious-executable>

Micrsoft OLE Files

# Check 'M' in the result of the oledump. It indicates the stream contains macro.
oledump example.doc
# -i: Print extra info
oledump -i example.doc
# -s a: Select item (stream) in nr for dumping (a for all)
# -v: Decompress VBA expressions
oledump -s a -v example.doc
olefile example.doc
oleid example.doc
olemeta example.doc
oleobj example.doc
oletimes example.doc
olevba example.doc
# --deobf: Deobfuscate VBA expressions.
# --decode: Display all the obfuscated strings with their decoded content.
olevba --deobf --decode example.doc

Shellcode Analysis

scdbg is available for finding shellcode in Windows executables.

scdbg -f shellcode_file.sc
scdbg -f shellcode.sc -fopen bad.doc_ -s -1 -i
scdbg -f shellcode.doc -s -1

Exploits related to Malware

Others