Static malware analysis is the process of examining a malicious file without executing it. Instead of running the malware in a sandbox, investigators analyze its structure, code, metadata, and embedded resources to understand its capabilities, behavior, and origins. This method is safe, controlled, and forms the foundation of every malware investigation.

Static analysis helps determine what a malware sample could do before dynamic analysis reveals what it actually does during execution.

What Is Static Malware Analysis?

Static analysis involves inspecting a malicious binary or script by looking at its code, strings, headers, metadata, and file structure.
Key benefits:

Safe (no execution required)
Fast initial triage
Reveals embedded domains, IPs, commands
Helps classify malware families
Provides signatures for threat hunting
Identifies obfuscation, encryption, or packing

Static analysis is the first step in a full malware investigation workflow.

Goals of Static Malware Analysis

Identify the malware type (worm, trojan, ransomware, RAT)
Determine indicators of compromise (IOCs)
Extract embedded configuration data
Identify strings, URLs, IPs, registry keys
Examine imports/exports
Detect anti-analysis or packing
Understand intended behavior
Classify malware family or variant

Types of Malware Suitable for Static Analysis

Windows PE files (.exe, .dll)
Linux ELF binaries
macOS Mach-O files
Office documents (macros)
JavaScript / Python / PowerShell scripts
APK files
PDFs containing malicious scripts

Nearly all malware types can be analyzed statically before execution.

Steps in Static Malware Analysis

1. File Identification

The first step is to determine what kind of file you're dealing with.

Tools:

file malware.exe
exiftool malware.exe

Helps identify:

PE/ELF/Mach-O
Script vs binary
Packing or compression
Architecture (32-bit/64-bit)

2. Hashing the Malware

Generate cryptographic hashes for integrity and searching threat databases.

md5sum malware.exe
sha256sum malware.exe

Uses:

Check if sample is known (VirusTotal, Hybrid Analysis)
Store in evidence database
Detect similar samples

3. Examine File Structure

For Windows PE files:

Use tools:

PEStudio
ExeInfoPE
PEiD
Detect It Easy (DIE)

Look at:

Section names (.text, .rdata, .data)
Abnormal sections (e.g., .upsx, .packed)
Section entropy
Imports / exports

High entropy indicates:

Packing
Encryption
Compression

4. String Analysis

Extracting strings is one of the fastest ways to gain intelligence.

Tools:

strings
FLOSS (by Mandiant)
BinText

Look for:

Domain names
IP addresses
URLs
File paths
Registry keys
Commands
Error messages
Encryption keys
Malware config data

Example:

strings malware.exe | grep http

5. Import Table Analysis

Malware’s import table reveals its capabilities.

Common suspicious imports:

CreateRemoteThread
VirtualAlloc / VirtualProtect
InternetOpen / HttpSendRequest
WriteProcessMemory
RegSetValue
WSASocketA

If imports look hidden or minimal → malware may be packed.

6. Export Table Analysis

For DLL malware:

Look for suspicious exported functions
Abnormal names or random strings

Example:

DllRegisterServer used by DLL-based malware

7. Analyzing Resources

Malware often embeds:

Icons
Images
Strings
Configuration files
Encrypted payloads
Dropper executables

Tools:

Resource Hacker
PEStudio

8. Entropy Analysis

Entropy measures randomness.
High entropy usually means packing or encryption.

Tools:

DIE (Detect It Easy)
PEStudio
binwalk

Indicators:

7.2 entropy = suspicious
Compression algorithms present

9. Certificate & Signature Analysis

Malware sometimes uses:

Stolen certificates
Expired certificates
Fake/self-signed certs

Tools:

signtool verify /pa malware.exe

Look for mismatches between:

Publisher
Certificate issuer
File properties

10. YARA Rule Matching

Use existing YARA signatures to classify malware families.

Tools:

yara rules.yar malware.exe

YARA helps:

Detect malware families
Identify packing runtimes
Extract code reuse patterns

Signs That Malware Is Packed or Obfuscated

Single import: LoadLibraryA, GetProcAddress
Very few strings
High entropy (>7.5)
Unusual section names
Compressed code regions
Small file size with complex behavior

Packed samples require unpacking before full static analysis.

Tools Commonly Used in Static Analysis

Windows

PEStudio
x64dbg (for pre-execution inspection)
DIE (Detect It Easy)
Resource Hacker
HashCalc
PEiD
BinText
FLOSS

Cross-Platform

Ghidra
IDA Free
Radare2
VirusTotal
Hybrid Analysis

Scripts

Python-based static scanners
YARA rulesets

What Static Analysis Cannot Reveal

Actual runtime behavior
Network communication patterns
Process injection behavior
Real-time persistence creation
Payloads decrypted only in memory
Second-stage downloads
System modifications

That’s why static analysis is paired with dynamic analysis.

Intel Dump

Static malware analysis safely examines a file without executing it, providing early insights into malware behavior and capabilities.
Techniques include hashing, identifying file type, inspecting PE/ELF structure, analyzing strings, checking imports/exports, reviewing resources, and measuring entropy.
Tools like PEStudio, Detect It Easy, FLOSS, Ghidra, IDA, and YARA help extract strings, detect packers, identify suspicious API calls, and classify malware families.
Indicators like high entropy, minimal imports, odd section names, and hidden strings strongly suggest packed or obfuscated malware.
Static analysis provides IOCs, classification, embedded configuration, and behavioral expectations but must be combined with dynamic analysis for full understanding.