Partner Login
Email Security Header

Malware Analysis: Tips, Tools, and Techniques

Written by Hornetsecurity / 18.05.2023 /
Home » Blog » Malware Analysis: Tips, Tools, and Techniques

Malware often contains features designed to evade detection by antivirus and other email security tools. In this article, we review best practices for malware analysis and provide the tips, malware tools, and knowledge you need for starting an analysis.

What is malware analysis and what does it entail?

Malware analysis is a broad, highly technical field that requires significant experience and expertise for analyzing sophisticated malware. Still, MSPs and admins can benefit from learning the basic steps of analyzing malware. This process applies to the analysis of malicious executables rather than the analysis of droppers (e.g., JS dropper, PDF dropper).

Two forms of malware analysis exist for malicious executables: static and dynamic. As its name implies, static analysis (also known as static binary analysis or source code analysis) examines computer code without executing a program. Alternatively, dynamic analysis examines the behavior of a program at runtime. Both forms of analysis offer complementary value and are often used in tandem when reversing malware. Both can also help admins in their threat investigation and incident response efforts.

Hornetsecurity provides advanced detection for evasive malware such as polymorphic, metamorphic, and environmentally aware variants. In addition to email filtering, Hornetsecurity’s Total Protection provides the malware tools and capabilities for analyzing threats safely and efficiently.

How to perform a static malware analysis

Use the following steps to perform a static analysis.

  • Start a collection of notes related to the current sample analysis. Use any documentation method you prefer, such as using a text file, spreadsheet, or mind map.
  • Document details of the analysis. This includes the location of any pertinent files on your operating system.
  • Fingerprint the sample by taking a hash of the file(s) found. This step is important even for polymorphic and metamorphic malware. While these malware variants can morph constantly in order to evade detection, in some cases the hash remains useful for comparison with existing malware threats reported by the cybersecurity community.
  • Classify the sample according to several characteristicswhen possible. This includes file type, format, target architecture, compiler used, etc.
  • Search for the executable type, DLL’s called, exports, imports, strings, etc.
  • Document the details. Document the technical details (e.g., obfuscation, packing, encryption) and possibly indicators of compromise (IP addresses and domains).
  • Analyze the sample. Analyze the sample. If the sample is packed or encrypted, the protections may require you to try performing a dynamic analysis to unpack or decrypt the malware.

How to perform a dynamic malware analysis

After performing a static analysis of the malware, you can conduct a dynamic analysis using the following steps.

  • Start a collection of notes related to the current sample analysis. Use any documentation method you prefer, such as using a text file, spreadsheet, or mind map.
  • Document details of the analysis. This includes the location of any pertinent files on your operating system.
  • Fingerprint the sample by taking a hash of the file(s) found. This step is important even for polymorphic and metamorphic malware. While these malware variants can morph constantly in order to evade detection, in some cases the hash remains useful for comparison with existing malware threats reported by the cybersecurity community.
  • Classify the sample according to several characteristicswhen possible. This includes file type, format, target architecture, compiler used, etc.
  • Search for the executable typeDLL’s called, exports, imports, strings, etc.
  • Document the details. Document the technical details (e.g., obfuscation, packing, encryption) and possibly indicators of compromise (IP addresses and domains).
  • Analyze the sample. Analyze the sample. If the sample is packed or encrypted, the protections may require you to try performing a dynamic analysis to unpack or decrypt the malware.

Malware analysis with Hornetsecurity for M365

While a highly technical discipline, malware analysis is an important function of cybersecurity. In addition to offering advanced detection capabilities, Hornetsecurity’s Total Protection for M365 can help you safely diagnose malicious files and attachments and gather forensic evidence for your incident response activities.

You might also be interested in: