Malware Static Analysis
Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.
file example.exe
stat example.exe
file-magic.py example.exe
binwalk -e example.exe
strings example.exe
objdump example.exe
# Identify the file type using signature.
trid example.exe
# Determine types of files and examine file properties.
# -i: Show file info
diec -i example.exe
# -r: Recursive scan
# -d: Deep scan
diec -rd example.exe
# -e: Show entropy
diec -e example.exe
# -a: Scan all types
diec -a example.exe
# Read EXIF metadata
exiftool example.exe
# Extract interesting strings
bulk_extractor example.exe -o ./extracted
# Hex editor
wxHexEditor example.exe
# View, edit, carve contents of various binary file types.
# View metadata
hachoir-metadata example.exe
# Parse a binary file
hachoir-urwid example.exe
# A graphical binary explorer
hachoir-wx example.exe
# Search a substring in a binary file
hacoir-grep --all example.exe
# GUI for reverse engineering
ghidra
cutter example.exe
PE Files
manalyze example.exe
# -p: Use plugins
manalyze -p all example.exe
peframe example.exe
pedump example.exe
pecheck example.exe
# Examine contents and structure of PE files.
pe-tree example.exe
Android Apps
Zip Files
Reverse Engieering
Capabilities
CAPA
It identifies capabilities in executable files.
If you found the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.
Micrsoft OLE Files
# Check 'M' in the result of the oledump. It indicates the stream contains macro.
oledump example.doc
# -i: Print extra info
oledump -i example.doc
# -s a: Select item (stream) in nr for dumping (a for all)
# -v: Decompress VBA expressions
oledump -s a -v example.doc
olefile example.doc
oleid example.doc
olemeta example.doc
oleobj example.doc
oletimes example.doc
olevba example.doc
# --deobf: Deobfuscate VBA expressions.
# --decode: Display all the obfuscated strings with their decoded content.
olevba --deobf --decode example.doc
Shellcode Analysis
scdbg is available for finding shellcode in Windows executables.
scdbg -f shellcode_file.sc
scdbg -f shellcode.sc -fopen bad.doc_ -s -1 -i
scdbg -f shellcode.doc -s -1