Malware Analysis: Tips, Tools, and Techniques
Adrien Gendre
—May 18, 2023
—3 min read
Malware often contains features designed to evade detection by antivirus and other email security tools. In this article, we review best practices for malware analysis and provide the tips, malware tools, and knowledge you need for starting an analysis.
What is malware analysis and what does it entail?
Malware analysis is a broad, highly technical field that requires significant experience and expertise for analyzing sophisticated malware. Still, MSPs and admins can benefit from learning the basic steps of analyzing malware. This process applies to the analysis of malicious executables rather than the analysis of droppers (e.g., JS dropper, PDF dropper).
Two forms of malware analysis exist for malicious executables: static and dynamic. As its name implies, static analysis (also known as static binary analysis or source code analysis) examines computer code without executing a program. Alternatively, dynamic analysis examines the behavior of a program at runtime. Both forms of analysis offer complementary value and are often used in tandem when reversing malware. Both can also help admins in their threat investigation and incident response efforts.
Vade for M365 provides advanced detection for evasive malware such as polymorphic, metamorphic, and environmentally aware variants. In addition to email filtering, Vade for M365 provides the malware tools and capabilities for analyzing threats safely and efficiently.
File Inspector in Vade for M365
Vade for M365’s File Inspector reveals the malicious characteristics and elements of PDF and Microsoft Office files and attachments. It enables admins to safely inspect crucial information without risk of exposure, including:
- Hash
- Extensions
- URLs
- Images
- Objects
- Scripts
- Embedded files
Evidence collected by File Inspector can be used to cross-check threats, including malware code and suspicious links, and determine whether they have spread to other areas of a network. Files can also be manually uploaded to File Inspector for analysis.
How to perform a static malware analysis
Use the following steps to perform a static analysis.
- Start a collection of notes related to the current sample analysis. Use any documentation method you prefer, such as using a text file, spreadsheet, or mind map.
- Document details of the analysis. This includes the location of any pertinent files on your operating system.
- Fingerprint the sample by taking a hash of the file(s) found. This step is important even for polymorphic and metamorphic malware. While these malware variants can morph constantly in order to evade detection, in some cases the hash remains useful for comparison with existing malware threats reported by the cybersecurity community.
- Classify the sample according to several characteristics—when possible. This includes file type, format, target architecture, compiler used, etc.
- Search for the executable type, DLL’s called, exports, imports, strings, etc.
- Document the details. Document the technical details (e.g., obfuscation, packing, encryption) and eventually indicators of compromise (IP addresses and domains).
- Analyze the sample. Analyze the sample. If the sample is packed or encrypted, the protections may require you to try performing a dynamic analysis to unpack or decrypt the malware.
How to perform a dynamic malware analysis
After performing a static analysis of the malware, you can conduct a dynamic analysis using the following steps.
- Set up a lab environment. An easy and inexpensive way to set up a lab system relies on virtualization software like Oracle VM VirtualBox, Microsoft Hyper-V, and VMware Desktop Hypervisor Products. Another possibility is to run a distribution like REMnux (Linux Toolkit for Malware Analysts) inside a pre-built Docker container.
- Isolate the lab environment from sensitive networks. To prevent the compromise of other systems on a production network, compartmentalize both your lab and production networks. Best practice is to always avoid connecting these networks.
- Install analysis tools. For a Microsoft Windows environment, tools from the Sysinternals suite could be useful. Also, consider some of the following tools, which are helpful for certain analysis tasks: Process Explorer (helpful for monitoring process), Procmon (helpful for monitoring file system and registry changes), AutoRuns (useful for detecting common persistence trick to survive a reboot), SysMon (beneficial for monitoring and logging system activity to capture helpful details), and Wireshark (useful for monitoring network traffic).
- Install reverse-engineering tools. For malicious executables, it’s usually not possible to view the source code of the program. Consequently, to learn more about the function of malware, you must try reversing compiled Windows executables. Free and commercial tools exist like x64dbg, IDA pro or Ghidra for disassembling and debugging executables.
Malware analysis with Vade for M365
While a highly technical discipline, malware analysis is an important function of cybersecurity. In addition to offering advanced detection capabilities, Vade's email security solution for M365 can help you safely diagnose malicious files and attachments and gather forensic evidence for your incident response activities.