> For the complete documentation index, see [llms.txt](https://notes.cavementech.com/pentesting-quick-reference/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.cavementech.com/pentesting-quick-reference/binary-exploitation/malware-analysis/basic-static-malware-analysis.md).

# Basic Static Malware Analysis

## 1. Identify File type

The file command in Kali Linux is a utility used to determine the type of a file by examining its content and providing information about its format. It helps identify the file's data type, such as whether it is a text file, an image, an executable binary, or an archive

```
file myfile.txt
```

### Windows Utilities 

<mark style="color:blue;">**Get the first few hex bytes using following software and then match it to check the file type from the reference sites.**</mark>

Hxd Hex Editor

{% embed url="<https://mh-nexus.de/en/hxd/>" %}

Exeinfo PE

{% embed url="<http://www.exeinfo.byethost18.com/?i=1>" %}
&#x20;
{% endembed %}

PE Studio

{% embed url="<https://www.winitor.com/download>" %}
A very good tool to perform most of the actions
{% endembed %}

CFF explorer

{% embed url="<https://ntcore.com/?page_id=388>" %}

### Reference for identifying file types

{% embed url="<https://www.garykessler.net/library/file_sigs.html>" %}

## 2. Identify File Signature

{% embed url="<https://www.virustotal.com/>" %}

{% embed url="<https://www.hybrid-analysis.com/>" %}

## 3. Obfuscation/ Packing

To hide the code from antiviruses and Analysis

<figure><img src="/files/ureiUgVa00F28LCAMH4P" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/u4kvXf9UiqxnVJ2jeW3o" alt=""><figcaption></figcaption></figure>

Entropy is the main indication of packing. It involves mostly measuring bits.

<figure><img src="/files/gyBjEF5b9TOGNdGYdJxN" alt=""><figcaption><p>measured from 1-8</p></figcaption></figure>

<figure><img src="/files/BxqsPhdMml3zlQXF19D3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/UNGEkq4EC6iZieGlQxx1" alt=""><figcaption></figcaption></figure>

## 4. Strings

### Tools

* PE Studio (let you organize by size and hints)
* strings&#x20;

## Other Useful tools

olevba. Analysis Macros in office documents.

{% embed url="<https://github.com/decalage2/oletools/wiki/olevba>" %}

<figure><img src="/files/ifQ8Jx9u8HthSKR8d1hE" alt=""><figcaption></figcaption></figure>

## Sandboxes

{% embed url="<https://app.any.run/>" %}
online very good
{% endembed %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.cavementech.com/pentesting-quick-reference/binary-exploitation/malware-analysis/basic-static-malware-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.