Malware Static Analysis
Last modified: 2023-05-17
Malware
Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.
Dump Contents
strings example.exe
objdump example.exe
-
It determines types of files.
Reverse Engieering
ghidra
# Cutter is a reverse engineering software powered by Rizin
cutter example.exe
Capabilities
CAPA
It identifies capabilities in executable files.
capa ./executable
If you found the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.
upx -d ./executable
# Delete the cache of capa
del ./executable.viv
capa <suspicious-executable>
Micrsoft OLE Files
# Check 'M' in the result of the oledump. It indicates the stream contains macro.
oledump example.doc
# -i: Print extra info
oledump -i example.doc
# -s a: Select item (stream) in nr for dumping (a for all)
# -v: Decompress VBA expressions
oledump -s a -v example.doc
olefile example.doc
oleid example.doc
olemeta example.doc
oleobj example.doc
oletimes example.doc
olevba example.doc
# --deobf: Deobfuscate VBA expressions.
# --decode: Display all the obfuscated strings with their decoded content.
olevba --deobf --decode example.doc
Shellcode Analysis
scdbg is available for finding shellcode in Windows executables.
scdbg -f shellcode_file.sc
scdbg -f shellcode.sc -fopen bad.doc_ -s -1 -i
scdbg -f shellcode.doc -s -1