Complete Malware Analysis Workflow

Introduction

When a suspicious file lands on your desk—whether flagged by an endpoint detection system, discovered during threat hunting, or reported by a vigilant user—the clock starts ticking. Modern malware can establish persistence, exfiltrate data, or spread laterally within minutes. Your ability to rapidly analyze and understand the threat directly impacts your organization's security posture.

This guide walks you through the complete malware analysis workflow used by Security Operations Centers (SOCs), incident response teams, and malware researchers worldwide. We'll focus on static analysis techniques—examining malware without executing it—which allows you to extract valuable intelligence safely and quickly.

According to CrowdStrike's malware analysis framework, the typical workflow progresses from L1 analysts performing initial triage, to L2 analysts conducting deeper investigation, to L3 analysts writing detection rules and threat hunting. This hierarchical approach ensures efficient resource allocation while maintaining thorough analysis.

Why Static Analysis First?

Static malware analysis examines files without executing them, revealing indicators of compromise (IOCs) such as IP addresses, domains, file paths, and API calls without the risks of detonation. As noted by Fortinet's analysis methodology, static analysis forms the foundation that guides subsequent dynamic analysis decisions.

The workflow we'll cover includes:

1. Initial Triage & Assessment (5-15 minutes)
2. Basic Static Analysis (15-30 minutes)
3. String Extraction & IOC Discovery (30-60 minutes)
4. Deobfuscation & Decoding (variable)
5. Binary Analysis & Disassembly (1-4 hours)
6. Documentation & Threat Intelligence Sharing

Let's dive into each stage with practical techniques and tools.

Stage 1: Initial Triage & Assessment (5-15 minutes)

The triage phase is your first line of defense—a rapid assessment that determines whether a file warrants deeper investigation or can be quickly dismissed. Cybersecurity triage is the process security teams use to rapidly assess and prioritize alerts based on risk and urgency.

Step 1.1: Calculate File Hashes

Why: File hashes serve as unique fingerprints. If the hash matches known malware in threat intelligence databases, you can skip extensive analysis and move directly to containment.

How:

1. Use the Hash Generator tool to calculate MD5, SHA-1, SHA-256, and SHA-512 hashes
2. The tool supports batch processing for multiple files simultaneously
3. Copy hashes for threat intelligence lookups

Tool Features:

• Drag-and-drop file upload
• Instant hash calculation for all major algorithms
• Hash history tracking (last 10 calculations stored locally)

Step 1.2: Check Against Threat Intelligence Databases

Why: Over 70% of malware samples are variations of known families. A positive match provides instant context about capabilities, C2 infrastructure, and remediation steps.

Recommended Databases:

• VirusTotal - Multi-engine scanning with 70+ antivirus vendors
• MalwareBazaar - Community-driven malware sample repository
• Hybrid Analysis - Automated malware sandbox with detailed reports

Hash Generator Integration: Our Hash Generator provides direct links to check hashes against these platforms:

• One-click "Check on VirusTotal" button
• MalwareBazaar search integration
• Hybrid Analysis lookup links

Interpretation Guide:

Step 1.3: Record File Metadata

Critical Metadata to Document:

- **Filename:** suspicious_invoice.exe
- **File Size:** 2.3 MB
- **MD5:** d41d8cd98f00b204e9800998ecf8427e
- **SHA-256:** e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- **Source:** Email attachment from unknown sender
- **First Seen:** 2025-01-07 14:32:00 UTC
- **VirusTotal:** 35/70 detections (Trojan.GenericKD)

Best Practice: Use your Hash Generator's history feature to maintain a timeline of analyzed samples during an incident.

Step 1.4: Initial Risk Assessment

According to SecurityScorecard's triage methodology, triage classification determines investigation priority:

High Priority (Immediate Analysis Required):

• Detections > 20 AV vendors
• Associated with active campaign or APT group
• Found on critical systems (domain controllers, databases)
• Exhibits ransomware or wiper characteristics

Medium Priority (Analysis within 4 hours):

• Detections 5-20 AV vendors
• Unknown sample with suspicious characteristics
• Found on user endpoints
• Potential commodity malware

Low Priority (Queue for batch analysis):

• 0-5 detections
• Likely false positive
• Found in sandboxed/isolated environment
• Appears to be legitimate software

Triage Decision Tree:

Suspicious File
    ├── Hash Match (>20 AV) → HIGH: Skip to containment
    ├── Hash Match (5-20 AV) → MEDIUM: Quick static analysis
    ├── Unknown Hash → Proceed to Stage 2 (Static Analysis)
    └── 0 Detections + Legit Source → LOW: Monitor only

Step 1.5: Establish Analysis Environment

Safety First:

• Isolated Network: Never analyze malware on production networks
• Virtual Machine: Disposable VM with snapshot capability
• VPN/Tor: Some malware exhibits different behavior when it detects analysis environments
• Offline Analysis: Static analysis doesn't require network access—disconnect if possible

Recommended Setup:

• Windows 10/11 VM with REMnux toolkit
• macOS/Linux VM for cross-platform analysis
• Snapshot before each analysis session
• Dedicated tools partition (read-only when possible)

Triage Output Example:

After 10 minutes of triage, you should have:

✅ All file hashes calculated and checked ✅ Threat intelligence matches documented ✅ Risk level assigned (High/Medium/Low) ✅ Analysis environment prepared ✅ Initial incident ticket created

Time Investment: 5-15 minutes Next Step: If the file requires deeper investigation, proceed to Stage 2 for static analysis.

Stage 2: Basic Static Analysis (15-30 minutes)

Static analysis allows you to examine malware's characteristics without executing it—eliminating detonation risks while extracting valuable intelligence. This stage focuses on two critical indicators: file type verification and entropy analysis for packing detection.

Step 2.1: File Type Identification & Magic Number Verification

Why: Malware authors frequently use extension spoofing to trick users—renaming executables as .pdf, .docx, or .jpg files. Magic numbers (file signatures) reveal the true file type regardless of extension.

Magic Number Examples:

How to Verify:

1. Use the File Magic Number Checker tool
2. Upload the suspicious file
3. Compare detected file type vs. extension
4. Flag any mismatches as potential spoofing

Example Detection:

Filename: invoice_2025.pdf
Extension: .pdf (Expected: PDF document)
Magic Number: 4D 5A (Detected: PE executable)
⚠️ ALERT: Extension spoofing detected!

Step 2.2: Entropy Analysis for Packing Detection

What is Entropy? Entropy analysis measures data randomness on a scale of 0 (completely predictable) to 8 (maximum randomness). According to research on packer detection using entropy, unpacked files typically exhibit entropy between 5.0-6.5, while packed/encrypted files approach 7.0-8.0.

Why Packers Matter: Malware authors use packers (UPX, Themida, ASPack) and crypters to:

• Evade signature-based detection
• Hide malicious strings and APIs
• Complicate reverse engineering

As noted in ANY.RUN's packer analysis guide, sophisticated protectors like Themida and Enigma significantly affect detection systems, making entropy analysis a critical first step.

Entropy Thresholds:

How to Analyze:

1. Use the Entropy Analyzer tool
2. Upload the executable file
3. Review the overall entropy score
4. Examine section-by-section entropy distribution

Tool Features:

• Shannon entropy calculation using the formula: H = -Σ(p(x) × log₂(p(x)))
• Visual entropy distribution chart showing entropy across file sections
• Byte distribution histogram revealing compression patterns
• Color-coded assessment:
  • 🟢 Green (< 6.0): Normal executable
  • 🟡 Yellow (6.0-7.0): Suspicious, possible packing
  • 🔴 Red (> 7.0): Likely packed or encrypted

Step 2.3: Identifying Common Packers

Section Name Analysis: Many packers leave telltale signs in PE section names:

Example Analysis:

File: unknown_sample.exe
Overall Entropy: 7.65 (HIGH - Likely Packed)

Section Analysis:
  .text   - Entropy: 7.82 (Encrypted code)
  .rdata  - Entropy: 7.71 (Encrypted data)
  .themida - Entropy: 7.89 (Packer signature)

Assessment: ⚠️ File is packed with Themida crypter
Recommendation: Requires unpacking before string analysis

Step 2.4: Mixed Content Detection

Some malware exhibits variable entropy across sections—normal entropy in some regions, high entropy in others. This pattern suggests:

• Partially packed executables
• Embedded encrypted payloads
• Staged malware (encrypted secondary payloads)

Entropy Variance Indicators:

Section Entropy Analysis:
  .text   - 5.8 (Normal code section)
  .data   - 5.2 (Normal data section)
  .rsrc   - 7.9 (ALERT: Encrypted resource)

⚠️ Mixed Content Detected
High-entropy .rsrc section may contain:
- Encrypted secondary payload
- Embedded ransomware encryption key
- Obfuscated C2 configuration

Action Items: Use the Entropy Analyzer's section-by-section view to identify suspicious regions for hex-level inspection.

Step 2.5: Baseline Comparison

Legitimate Software Entropy Baselines:

*Compression tools contain compressed data, naturally higher entropy

False Positive Awareness: High entropy doesn't always indicate malware. Legitimate uses include:

• Compressed installers - NSIS, Inno Setup
• Game assets - Encrypted game files (DRM)
• Cryptographic libraries - OpenSSL, BoringSSL
• Media codecs - Video/audio compression

Verification Tip: If entropy is high (>7.0) but VirusTotal shows 0 detections and file is signed by a known publisher (Microsoft, Adobe, etc.), it's likely legitimate compression rather than malicious packing.

Stage 2 Output Example:

After 20 minutes of static analysis, you should have:

✅ True file type verified (not relying on extension) ✅ Entropy score calculated and assessed ✅ Packer identified (if present) ✅ High-entropy sections flagged for investigation ✅ Decision on next steps (unpacking vs. direct string analysis)

Decision Matrix:

Entropy < 6.5 + Normal sections → Proceed to Stage 3 (String Extraction)
Entropy 6.5-7.2 + Unknown → Proceed to Stage 3 (Strings may reveal packer)
Entropy > 7.2 + Known packer → Attempt unpacking OR proceed to Stage 5 (Hex analysis)
Entropy > 7.2 + Unknown packer → Stage 5 (Manual analysis required)

Time Investment: 15-30 minutes Next Step: Most files proceed to Stage 3 for string extraction, even if packed (obfuscated strings provide clues).

Stage 3: String Extraction & IOC Discovery (30-60 minutes)

String extraction is one of the most productive malware analysis techniques. According to Mandiant's research on string extraction, Windows functions like SetWindowsHook, CreateProcess, and InternetOpen reveal malware functionality, while IP addresses, URLs, and domains expose C2 communication infrastructure.

Step 3.1: ASCII and Unicode String Extraction

What are Strings? Strings are sequences of printable characters embedded in binary files. They include:

• Function names and API calls
• File paths and registry keys
• URLs, IPs, and domain names
• Error messages and debug info
• Encryption keys and passwords
• User-agent strings and HTTP headers

Extraction Process:

1. Use the String Extractor tool
2. Upload the malware sample
3. Configure minimum string length (recommended: 4-6 characters)
4. Extract both ASCII (single-byte) and Unicode UTF-16LE (double-byte) strings

Tool Capabilities:

• Dual extraction: ASCII and Unicode simultaneously
• Configurable minimum length filter (1-20 characters)
• Byte offset display for each string (hex format)
• Real-time processing with performance metrics
• Type badges (ASCII/Unicode) for quick identification

Step 3.2: Automatic Pattern Detection

The String Extractor automatically identifies 8 categories of suspicious patterns:

1. IPv4 Addresses

Pattern: xxx.xxx.xxx.xxx
Examples:
  - 192.168.1.100 (Private network, lateral movement)
  - 185.220.101.34 (Public IP, potential C2 server)
  - 127.0.0.1 (Localhost, debugging artifacts)

2. IPv6 Addresses

Pattern: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

3. URLs (HTTP/HTTPS/FTP)

Examples:
  - http://malicious-c2.com/gate.php (C2 endpoint)
  - https://pastebin.com/raw/abc123 (Config hosting)
  - ftp://download.evil.net/payload.exe (Payload download)

4. Email Addresses

Examples:
  - [email protected] (Targeted recipient)
  - [email protected] (Phishing lure)
  - [email protected] (Command channel)

5. Windows File Paths

Examples:
  - C:\Windows\System32\svchost.exe (System impersonation)
  - C:\Users\Public\malware.exe (Common drop location)
  - C:\ProgramData\AppData\config.dat (Hidden config)

6. UNC Network Paths

Examples:
  - \\\\192.168.1.50\\share\\payload.dll (Lateral movement)
  - \\\\DC01\\SYSVOL\\scripts\\evil.ps1 (Domain propagation)

7. Registry Keys

Examples:
  - HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (Persistence)
  - HKCU\\Software\\Classes\\exefile\\shell\\open\\command (Hijacking)
  - HKLM\\SYSTEM\\CurrentControlSet\\Services (Service installation)

8. Base64 Encoded Data

Pattern: Long strings of A-Z, a-z, 0-9, +, /, =
Example: SGVsbG8gV29ybGQh== (Encoded payload or config)

Step 3.3: Identifying High-Value IOCs

C2 Infrastructure Indicators:

High-Priority Strings:
✓ IP addresses (not private ranges)
✓ Domain names (especially suspicious TLDs: .tk, .xyz, .top)
✓ HTTP User-Agent strings
✓ API endpoints (/gate.php, /panel/, /upload/)
✓ Encryption/encoding artifacts

Example C2 IOC Collection:

File: ransomware_sample.exe
Strings found: 1,243 total
Suspicious: 47 strings

C2 Indicators:
  - 185.220.101.34:443 (HTTPS C2)
  - evil-domain.tk/api/checkin (Beacon endpoint)
  - Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0
  - AES256-CBC-HMAC-SHA256 (Encryption method)

Persistence Indicators:
  - HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
  - C:\\Users\\Public\\svchost.exe (Fake svchost)

Targeted Files:
  - *.docx, *.xlsx, *.pdf (Encryption targets)
  - C:\\Users\\*\\Desktop\\ (Target directory)

Step 3.4: Windows API Analysis

Common Malicious APIs:

Example API String Analysis:

Extracted API Calls:
  - CreateRemoteThread ⚠️ Code injection capability
  - VirtualAllocEx ⚠️ Memory manipulation
  - WriteProcessMemory ⚠️ Process hollowing technique
  - RegSetValueEx → Persistence mechanism
  - URLDownloadToFile → Payload download

Assessment: Likely Process Injection Malware
Technique: Classic process hollowing attack

Step 3.5: Filtering and Search Techniques

Using Filters Effectively:

1. Show Only Suspicious Strings

   • Toggle "Show only suspicious" filter
   • Reduces noise from benign strings
   • Focuses on IOCs and interesting patterns

2. Type Filtering (ASCII vs Unicode)

   • ASCII: Most common for English text and code
   • Unicode: Often used for internationalization or obfuscation
   • Some malware uses Unicode to evade ASCII-only scanners

3. Search Functionality

   • Search for specific keywords: "http", "cmd", "powershell"
   • Find encryption-related terms: "AES", "RSA", "key"
   • Locate file operations: "delete", "copy", "write"

Effective Search Keywords:

C2 Communication: http, https, tcp, socket, connect, GET, POST
Persistence: Run, RunOnce, Startup, Task, Service, schtasks
Evasion: sleep, delay, sandbox, vm, debugger
Encryption: crypt, encrypt, AES, RSA, key, cipher
Exfiltration: upload, send, ftp, smtp, email
Credential Theft: password, credential, login, cookie

Step 3.6: Handling Obfuscated Strings

Challenge: Sophisticated malware uses obfuscated strings to hide IOCs. According to Mandiant's FLOSS research, obfuscated strings typically contain the most sensitive configuration resources, including C2 server addresses and import names.

Common Obfuscation Techniques:

1. Base64 Encoding

Encoded: aHR0cDovL21hbGljaW91cy1jMi5jb20=
Decoded: http://malicious-c2.com

2. XOR Encoding

Encoded bytes: E8 8B 9A 9C 8D 8A 9B E8 8B 8C
XOR Key: 0x42
Decoded: "malware.exe"

3. ROT13 / Caesar Cipher

Encoded: uggc://rivy-pbzznaq.arg
Decoded: http://evil-command.net

4. String Stacking (Runtime Concatenation)

char* part1 = "http://";
char* part2 = "malicious";
char* part3 = "-c2.com";
// Runtime: http://malicious-c2.com

When to Use Deobfuscation:

• Strings appear garbled or nonsensical
• High concentration of Base64-like strings
• Patterns like repeated XOR operations
• Short, random-looking strings in bulk

Next Step: If obfuscation is detected, proceed to Stage 4 (Deobfuscation).

Step 3.7: Exporting IOCs for Threat Intelligence

Export Formats:

1. CSV Export

Offset,Length,Type,String,Suspicious,Patterns
0x00001A2F,15,ASCII,192.168.1.100,Yes,IPv4
0x00002B4C,28,ASCII,http://evil-c2.com/gate.php,Yes,URL
0x00003D1A,45,Unicode,HKLM\Software\Microsoft\Windows\CurrentVersion\Run,Yes,Registry

Use Cases:

• Import into Excel for reporting
• Share with security team
• Feed into SIEM platforms

2. JSON Export

{
  "file_metadata": {
    "filename": "ransomware_sample.exe",
    "size": 2457600,
    "processing_time_ms": 342
  },
  "statistics": {
    "total_strings": 1243,
    "ascii_strings": 1089,
    "unicode_strings": 154,
    "suspicious_strings": 47
  },
  "iocs": [
    {
      "offset": "0x00001A2F",
      "type": "ASCII",
      "value": "192.168.1.100",
      "patterns": ["IPv4"],
      "suspicious": true
    }
  ]
}

Use Cases:

• Automated processing pipelines
• Integration with threat intelligence platforms (MISP, OpenCTI)
• API consumption for detection rule generation

Stage 3 Output Example:

After 45 minutes of string analysis, you should have:

✅ Complete string extraction (ASCII + Unicode) ✅ Suspicious patterns identified and flagged ✅ High-value IOCs isolated (IPs, URLs, registry keys) ✅ Windows API usage documented ✅ Obfuscation patterns detected (if present) ✅ IOCs exported in CSV/JSON format

Sample IOC Report:

Malware Sample: unknown_trojan.exe
Analysis Date: 2025-01-07 16:45:00 UTC
Analyst: SOC Team

Key Findings:
  - 3 C2 server IPs identified
  - 7 persistence registry keys
  - 12 Windows API calls (injection-related)
  - Base64-encoded config detected

Immediate Actions:
  ☐ Block C2 IPs at firewall
  ☐ Monitor for persistence registry changes
  ☐ Hunt for process injection patterns
  ☐ Deobfuscate Base64 strings (Stage 4)

Time Investment: 30-60 minutes Next Step: If obfuscated strings were detected, proceed to Stage 4 for deobfuscation. Otherwise, skip to Stage 5 for binary/hex analysis.

Stage 4: Deobfuscation & Decoding (Variable Time)

When string extraction reveals encoded or obfuscated data, the Malware Deobfuscator provides a unified interface for decoding. This stage focuses on revealing hidden C2 addresses, configuration data, and other intelligence that malware authors attempted to conceal.

Step 4.1: Auto-Detection Mode

The fastest approach for unknown encodings:

How it Works:

1. Upload or paste the obfuscated string
2. Enable "Auto-Detect" mode
3. The tool automatically tries all techniques (Base64, Hex, URL, ROT13, XOR)
4. Results are ranked by readability score

Readability Scoring:

• English letter frequency analysis (e, t, a, o, i weighted)
• Common word detection (http, script, function, var, the, and)
• Printable character ratio
• Entropy calculation

Example:

Input: aHR0cDovL2V2aWwtYzIuY29tL2dhdGUucGhw
Auto-Detect Results:
  1. Base64 → "http://evil-c2.com/gate.php" (Score: 98.7%) ✓
  2. Hex → Gibberish (Score: 12.3%)
  3. ROT13 → Gibberish (Score: 8.1%)

Step 4.2: XOR Brute Force

XOR encoding is extremely common in malware for hiding strings and configurations. Use our dedicated XOR cipher decoder for quick single-byte key brute forcing with English frequency analysis.

Single-Byte Key Brute Force:

• Tries all 256 possible keys (0x00-0xFF)
• Scores each result for readability
• Highlights likely candidates

Example:

Input (hex): E8 8B 9A 9C 8D 8A 9B E8 8B 8C
Brute Force Results:
  Key 0x42: "malware.exe" (Score: 95.2%) ✓
  Key 0x13: Random (Score: 15.3%)
  Key 0xAA: Random (Score: 8.7%)

Step 4.3: Multi-Layer Chaining

Sophisticated malware often uses multiple encoding layers.

Chaining Process:

1. Decode Base64 layer
2. Output becomes input for XOR decode
3. Final output reveals plaintext

Example PowerShell Obfuscation:

Layer 1 (Base64): JABhAD0AJwBoAHQAdABwADoALwAvAGUAdgBpAGwALQBjADIALgBjAG8AbQAnAA==
         ↓ Base64 Decode
Layer 2 (Unicode): $a='http://evil-c2.com'
         ↓ Result
Plaintext C2: http://evil-c2.com

Tool Features:

• Add multiple decoding steps
• Visualize chain progress
• Copy intermediate results
• Preset patterns (PowerShell, JavaScript, Custom)

Step 4.4: Quick Presets

Preset 1: PowerShell Encoding

Common Pattern: Base64 → Unicode/UTF-16LE
Use Case: Obfuscated PowerShell downloaders
Example: JABjAGwAaQBlAG4AdAA= → $client

Preset 2: JavaScript Obfuscation

Common Pattern: Hex → URL Decode → eval()
Use Case: Malicious scripts in compromised websites

Preset 3: XOR Pattern

Common Pattern: XOR (brute force key detection)
Use Case: String table decryption in malware

Stage 4 Output:

✅ Obfuscated strings decoded ✅ Hidden C2 infrastructure revealed ✅ Configuration data extracted ✅ Encoding methods documented

Time Investment: 10 minutes to 2 hours (depending on complexity) Next Step: Proceed to Stage 5 for hex-level binary analysis

Stage 5: Binary Analysis & Disassembly (1-4 hours)

The deepest level of static analysis involves examining the raw bytes and disassembled code.

Step 5.1: Hex Editor Analysis

Use Cases:

• Verify file structure (PE headers, ELF headers)
• Locate embedded payloads or resources
• Identify encrypted sections
• Patch binaries for dynamic analysis

Key Features:

• Classic 3-column layout (offset | hex | ASCII)
• Search by hex pattern or ASCII string
• Bookmark interesting offsets with notes
• Jump to specific addresses
• Export modified files

Example Investigation:

Offset     Hex Dump                          ASCII
00000000   4D 5A 90 00 03 00 00 00 04 00     MZ..........
00000010   00 00 FF FF 00 00 B8 00 00 00     ............
...
0000E400   CA FE BA BE 00 00 00 34 00 21     ..........4.!

Finding 1: MZ header at 0x00000000 confirms PE file Finding 2: CA FE BA BE at 0xE400 → Embedded JAR file (Java malware)

Step 5.2: Machine Code Disassembly

Purpose: Convert machine code to human-readable assembly language.

Disassembly Features:

• Multi-architecture support (x86, x64, ARM, RISC-V)
• Function call graph visualization
• Entry point detection
• Shellcode analysis
• Performance metrics

Example Disassembly:

Entry Point (0x00401000):
  push   ebp
  mov    ebp, esp
  sub    esp, 0x40
  call   0x00402000     ; GetProcAddress
  call   0x00403000     ; VirtualAlloc
  call   0x00404000     ; WriteProcessMemory
  ret

Analysis: Process injection routine detected (VirtualAlloc + WriteProcessMemory)

Step 5.3: PE Header Analysis

Critical PE Fields:

• TimeDateStamp → Compilation time (use Unix Timestamp Converter for FILETIME)
• ImportTable → External DLL dependencies
• Sections → Code, data, resources
• EntryPoint → Execution start address

Red Flags:

• Unusual section names (.themida, .upx0)
• High entropy in .text section
• Suspicious imports (CreateRemoteThread, etc.)
• Invalid or zero TimeDateStamp

Stage 5 Output:

✅ Binary structure documented ✅ Embedded payloads identified ✅ Assembly code analyzed ✅ Injection/evasion techniques detected

Time Investment: 1-4 hours Next Step: Compile findings into final report (Stage 6)

Stage 6: Documentation & Threat Intelligence Sharing

The final stage transforms your analysis into actionable intelligence.

Step 6.1: Incident Report Template

# Malware Analysis Report

**Analyst:** [Name]
**Date:** 2025-01-07
**Classification:** TLP:AMBER

## Executive Summary
Analyzed suspicious executable identified as [Malware Family].
High confidence assessment based on static analysis.

## File Metadata
- **Filename:** malware_sample.exe
- **MD5:** [hash]
- **SHA-256:** [hash]
- **File Type:** PE32 executable
- **Size:** 2.4 MB
- **Compilation Timestamp:** 2025-01-05 08:32:00 UTC

## Analysis Findings

### Packing/Obfuscation
- Overall Entropy: 7.65 (HIGH - Likely packed)
- Packer: Themida 3.x detected
- Obfuscation: XOR + Base64 multi-layer encoding

### Command & Control
- Primary C2: 185.220.101.34:443
- Backup C2: evil-domain.tk
- Beaconing: Every 60 seconds
- Protocol: HTTPS with custom headers

### Persistence Mechanisms
- Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Service: Creates "WindowsUpdateService"
- Scheduled Task: Runs at user logon

### Capabilities
- Process Injection (CreateRemoteThread)
- Keylogging (SetWindowsHookEx)
- File Encryption (AES-256)
- Data Exfiltration (HTTPS POST)

## Indicators of Compromise (IOCs)

### Network Indicators
- 185.220.101.34 (C2 Server)
- evil-domain.tk (Backup C2)
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

### File Indicators
- C:\Users\Public\svchost.exe
- C:\ProgramData\AppData\config.dat

### Registry Indicators
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate

## Recommended Actions

**Immediate:**
☐ Block C2 IPs at perimeter firewall
☐ Hunt for file hashes across enterprise
☐ Monitor for registry persistence keys
☐ Isolate affected systems

**Short-term:**
☐ Deploy YARA rules for detection
☐ Update EDR signatures
☐ Conduct threat hunt for similar TTPs

**Long-term:**
☐ Share IOCs with ISAC/ISAO
☐ Submit to MISP platform
☐ Update incident playbooks

Step 6.2: Sharing with Threat Intelligence Communities

Platforms:

• MISP - Malware Information Sharing Platform
• AlienVault OTX - Open Threat Exchange
• ThreatConnect - Threat intelligence platform
• VirusTotal - File submission and IOC checking

Export Formats:

• STIX 2.1 - Structured Threat Information Expression
• OpenIOC - Industry-standard IOC format
• YARA Rules - Pattern-based detection
• Sigma Rules - Log analysis signatures

Conclusion

This workflow provides a systematic approach to malware analysis, progressing from rapid triage to in-depth investigation. By following these stages, you can:

✅ Quickly assess threat severity (5-15 minutes) ✅ Identify packing and obfuscation (15-30 minutes) ✅ Extract IOCs without code execution (30-60 minutes) ✅ Decode hidden configurations (variable) ✅ Perform deep binary analysis (1-4 hours) ✅ Share intelligence with the community

Key Takeaways

1. Start Fast, Go Deep: Triage determines whether deep analysis is warranted
2. Static First: Extract maximum intelligence before detonation risks
3. Layered Approach: Each stage builds on previous findings
4. Tool Integration: Purpose-built tools accelerate each workflow stage
5. Share Intelligence: The community benefits from your findings

Next Steps in Your Malware Analysis Journey

For Beginners:

• Practice with known malware samples from MalwareBazaar
• Join communities like r/Malware
• Complete hands-on labs (TryHackMe, HackTheBox)

For Intermediate Analysts:

• Learn dynamic analysis and sandboxing (Cuckoo, Any.run)
• Study MITRE ATT&CK framework for TTP mapping
• Practice writing YARA rules for detection
• Contribute to open-source malware analysis tools

For Advanced Analysts:

• Specialize in specific malware families (APTs, ransomware, banking trojans)
• Develop custom analysis tools and automation
• Publish research and present at conferences (BSides, DEF CON)
• Mentor junior analysts and contribute to the community

Resources for Continued Learning

Books:

• Practical Malware Analysis by Michael Sikorski
• The Art of Memory Forensics by Michael Ligh
• Malware Data Science by Joshua Saxe

Training:

• SANS FOR610: Reverse-Engineering Malware
• Malware Analysis Bootcamp (TCM Security)
• GIAC Reverse Engineering Malware (GREM)

Tools Referenced in This Guide:

• Hash Generator - File hashing with threat intelligence integration
• File Magic Number Checker - File type verification
• Entropy Analyzer - Packing detection with Shannon entropy
• String Extractor - ASCII/Unicode extraction with IOC detection
• Malware Deobfuscator - Multi-layer decoding and XOR brute force
• Hex Editor - Binary file examination and editing
• Machine Code Disassembler - Multi-architecture disassembly
• Unix Timestamp Converter - Windows FILETIME and Unix timestamp conversion

Stay Current with Evolving Threats

Malware analysis is a constantly evolving discipline. Threat actors continuously develop new evasion techniques, packing methods, and obfuscation strategies. By mastering this workflow and staying engaged with the security community, you'll be prepared to analyze and defend against emerging threats.

Remember: Every malware sample you analyze contributes to collective defense. Share your findings, refine your techniques, and never stop learning.

Happy hunting, and stay safe out there.

About This Guide

This comprehensive workflow guide is based on industry best practices from leading security organizations including CrowdStrike, Fortinet, and Mandiant. All tools referenced are free, open-access utilities designed with privacy-first, client-side processing—no data leaves your browser.

InventiveHQ provides these educational tools to help security professionals, SOC analysts, and incident responders build their malware analysis skills. Whether you're just starting in cybersecurity or are an experienced analyst, these tools are designed to make static analysis accessible and efficient.

Sources & Further Reading

• CrowdStrike: Malware Analysis Workflow
• Fortinet: Types and Stages of Malware Analysis
• UpGuard: Cybersecurity Triage Process
• MDPI: Packer Detection Using Entropy Analysis
• ANY.RUN: Packers and Crypters in Malware
• Mandiant: Extracting Obfuscated Strings with FLOSS
• GeeksforGeeks: Static Malware Analysis
• Medium: Extracting IOCs Using Basic Static Analysis