Static Analysis consists of analyzing the suspect file without executing it. It involves extracting useful information that helps to decide where to focus next analysis efforts. Below are some of the checks that an analyst should perform when doing malware static analysis.
1. Identify the File Type
Identifying the file type will help to understand the file format – Know if it is a PE (portable executable), Word Document, PDF, DMG file, or any other file type. Depending upon the file type, the analysis steps may differ.Knowing the file type, also help to identify malware’s target operating system (Windows, Mac and so on). For ex, if a file type is PE (file format for windows executable files – exe, dll, sys, com etc.), then we can deduce that the file is designed to target Windows OS.
To correctly identify the file type, one should not only check for file extension (which can also be masked) but also file signature (unique sequence of bytes that is written to file’s header). For ex. “4D 5A” represents Windows .exe file.
2. Analyze the File Properties
Following are the important File Properties that should be looked into when doing static analysis:
File Path – Suspicious File Paths to look for are: %TEMP%, %APPDATA%, %LOCALAPPDATA%
File Size – A file say of 0 bytes or few KB is more suspicious as compared to file in MB
File Signature – A signed file is more trusted as compared to a non-signed file
File Hash – Compute the file hash (e.g. md5) to know the unique identifier of the file
3. Check for File Prevalence
If the same file is found on 85 percent of other Windows systems, then there is high probability that it is benign (exception: ransomware). Whereas, an unknown file which is found on only 2 percent of Windows systems, could be the result of a successful phishing campaign.
File Last Found: The attacks, an analyst need to worry about most, are the ones still going on, as recent occurrences are more likely to be malicious than older ones.
AV Scanning: Searching the file hash on VirusTotal helps an analyst to know:
If the file has been processed before?
Does it match any known benign files?
Does it match any known malicious files?
4. Extracting Strings
Look for IP addresses, domain names, URLs, Javascript, Registery Keys Changes, Firewall Rules being set etc in the strings to know about any suspicious behavior of the file.
5. PE Header-Based Analysis
If the suspect file is a windows executable, analyzing the PE headers and sections can yield a lot of valuable information about the file. Benign files contain the basic section name such as .text, .data,.rsrc, etc, or other meaningful name like .shared, .page etc. A file with unknown section names or having UPX0, UPX1 (indicative of packer) can be suspicious.
In PE headers, an analyst should look for the values of size-of-initialized-data, size-of-uninitialized-data, imageversion, and checksum. For some malicious files, these values are often set to zero.
There is a lot other information as well that can be obtained through PE header of the file but discussing that for now is beyond the scope of this article. From static malware analysis point of view, checking alone all the above points discussed can help a lot in understanding and analyzing any suspected malicious file.