Being able to pick apart malware in a controlled environment is an essential skill that analysts rely on to understand the “DNA” of a sample and the thought process behind its creators. This guide is designed as a crash course in malware analysis.

 

 Note: This guide does not cover lab setup (there are already plenty of great videos for that). Instead, we’ll focus specifically on Windows environments. If we receive enough positive feedback, we’ll expand into Android, maldocs, iOS, Mac, and ELF binaries.

​

Unlike many tutorials that separate static and dynamic analysis as two distinct silos, this guide treats analysis as a natural back-and-forth process between the two. We believe this iterative flow is more effective in developing real-world methodologies rather than oversimplifying analysis into static vs. dynamic “camps.”

Remember: not all malware is created equal. Your analysis must be layered with evidence before you can confidently deem a file malicious. Techniques can be mixed, swapped, and re-ordered depending on the sample and your own experience.

​

Sandboxing

The fastest way to get an initial read on a sample is sandboxing. If you’re short on time and just need to know if something looks malicious, sandboxes are your best friend.

Popular options include:

• Joe Sandbox

• Hybrid Analysis

• ANY.RUN

• Triage

Upload, execute, and review the results. Sandboxing won’t give you every answer, but it’s an efficient first step.

​

PE Metadata

Static analysis starts here. By examining a Portable Executable (PE) file in a viewer such as PE Studio, Detect It Easy, PE Bear, or PE View, you can uncover important metadata:

• Headers: For example, “MZ” magic bytes that confirm the file is an executable.

• Imports Table (IAT): Look for suspicious API calls. Why is a “calc.exe” file calling LoadLibrary, VirtualAlloc, or OpenURL? Each API alone isn’t malicious, but unusual combinations raise red flags.

• Entropy: High entropy can indicate packing or encryption. Many benign apps use packers (e.g., VMProtect) to prevent theft, so this requires context.

• File size comparisons: A large virtual size vs. small disk size may suggest compression or packing.

• Hardcoded strings: Strings often reveal URLs, evasion checks, regional targets, or other tactics.

This is only scratching the surface, sections like .text and .data hold even more clues. Some disassemblers (IDA Pro, x32/x64dbg, Ghidra) will also surface this metadata while providing deeper insights.

​

​

Dissassembly

Disassembly can feel overwhelming — walls of instructions, multiple panes, endless branches. But with the right approach, you can cut through the noise.

Tips for more effective disassembly:

1. Customize your workspace: Use plugins, set up pseudocode views, mark unnamed functions, and make the interface comfortable. A clean, tailored workspace reduces analysis fatigue.

2. Trace branch logic: Instead of reading line by line, skip to the end of functions and focus on IF/switch statements. This “big picture” view is faster and less draining.

3. Don’t read everything: Assembly isn’t meant to be read like a novel. Focus on epilogues, unconditional jumps, stack manipulation, and standout routines.

4. Expect tricks: Threat actors don’t want us dissecting their work. Techniques like API hammering, disassembly traps, junk code, and obfuscation are meant to waste your time. Stay sharp, research counter-techniques, or even build your own tools to share with the community.

 

***This article is still in progress. Thanks for your patience as we continue to expand it.**** Estimated Completion Date: Sept 12, 2025

 

​

​