Malware analysis is the process of understanding how malicious software works — what it does, how it spreads, what systems it targets, and how to detect it. Security analysts, incident responders, and threat intelligence teams analyze malware to build better defenses. This guide covers basic static and dynamic analysis techniques accessible to beginners.
Types of Malware Analysis
Static analysis: Examine the malware file without executing it. Safer but reveals less.
- Hash identification, string extraction, PE header analysis, disassembly
Dynamic analysis: Execute the malware in a controlled environment and observe behavior.
- File system changes, registry modifications, network connections, process spawning
Combined: Most real analysis uses both — static to understand structure, dynamic to confirm behavior.
Safety First: Isolated Analysis Environments
Never analyze malware on your primary system or a networked production machine.
Safe analysis environments:
- Isolated VM: VMware or VirtualBox VM with no network access, snapshots to revert
- Online sandbox: Upload samples to cloud-based analysis services
- REMnux: Dedicated Linux distro pre-configured for malware analysis
Online Sandboxes: Any.run
Any.run (any.run) is an interactive online sandbox — unique because you can interact with the malware in real-time while it executes in a cloud VM, watching system calls, network traffic, and behavior live.
Using Any.run (Free Tier)
- Visit any.run
- Click Run Sample
- Upload a suspicious file or paste a URL
- Choose OS: Windows 7, Windows 10, Windows 11
- Click Run — watch execution in real-time
What you see:
- Process tree: Which processes are created (key indicators of malicious chains)
- Network activity: DNS queries, HTTP/HTTPS connections, data exfiltrated
- File system events: Files created, modified, deleted
- Registry modifications: Persistence mechanisms, configuration changes
- Threats detected: Any.run flags known malicious behaviors with ATT&CK technique labels
Reading Any.run Results
ATT&CK tags: Any.run labels behaviors with MITRE ATT&CK technique IDs (e.g., T1059 — Command and Scripting Interpreter). These map malware behavior to known attacker techniques.
Network indicators: IP addresses and domains the malware communicates with — use for threat intelligence and blocking.
Dropped files: Any files the malware creates — download for further analysis.
Screenshots: Visual evidence of malware UI (ransomware notes, fake alerts).
Other Sandboxes
- VirusTotal: Scan hashes or files against 70+ AV engines + basic behavioral analysis
- Joe Sandbox: Professional-grade automated analysis
- Hybrid Analysis (CrowdStrike): Free, detailed behavioral reports
- Triage (Hatching): Fast automated analysis with good coverage
Static Analysis: Basic Techniques
File Hashing
The first step: generate hashes to identify the sample and search threat intel databases.
# Linux
md5sum malware.exe
sha256sum malware.exe
# Windows PowerShell
Get-FileHash malware.exe -Algorithm SHA256Search the SHA256 hash on VirusTotal, Hybrid Analysis, and MalwareBazaar.
String Extraction
Readable strings within a binary reveal URLs, IP addresses, registry keys, file paths, and code comments:
# Linux
strings malware.exe | grep -i "http\|ftp\|\.com\|\.exe\|cmd\|powershell"
# Or with FLOSS (FireEye's string extractor — handles obfuscated strings)
floss malware.exeFLOSS automatically decrypts common obfuscated string encodings.
PE Header Analysis
Portable Executable (PE) headers for Windows executables contain compilation timestamps, import/export tables, and section information:
# Using pefile (Python library)
pip3 install pefile --break-system-packages
python3 -c "
import pefile
pe = pefile.PE('malware.exe')
print('Imports:')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(f' {entry.dll.decode()}')
for imp in entry.imports:
if imp.name:
print(f' {imp.name.decode()}')
"Suspicious imports to look for: CreateRemoteThread, VirtualAllocEx, WriteProcessMemory (process injection); RegSetValueEx (persistence); WinHttpOpen, URLDownloadToFile (network).
REMnux: Dedicated Malware Analysis Linux
REMnux (remnux.org) is a free Linux distribution pre-loaded with hundreds of malware analysis tools:
- Static: FLOSS, Detect-It-Easy (file type identification), pe-tree, pdfid
- Dynamic: INetSim (network simulation), Wireshark, Fakenet-NG
- Forensics: Volatility, bulk_extractor, log2timeline
- Document analysis: mitmproxy, olevba (Office macro extraction), pdf-parser
Installation
Download the OVA (virtual machine image) from remnux.org → import into VirtualBox or VMware.
For isolated dynamic analysis: configure the VM with Host-only networking so malware can’t reach real internet (REMnux includes INetSim to simulate internet responses).
Analyzing Office Documents
Phishing often delivers malicious Office documents. Analyze macros without executing:
# Extract and analyze macros from Word/Excel documents
olevba suspicious.docx
# Look for: Shell commands, Auto-execute macros, PowerShell invocations, URLDownloadToFilePDF Analysis
# Analyze PDF structure and extract JavaScript
pdfid suspicious.pdf # Overview statistics
pdf-parser suspicious.pdf --stats # Detailed analysisLook for /JavaScript, /OpenAction, /Launch — common malicious PDF elements.
Building a Malware Analysis Report
Document for every sample:
- Identification: Filename, hashes (MD5, SHA256), file type
- Static analysis: Strings, imports, compilation timestamp, PE sections
- Dynamic behavior: Processes, network, files, registry changes
- IOCs (Indicators of Compromise): IP addresses, domains, file paths, registry keys, hashes
- Attribution: Known family if identified via VirusTotal/sandbox labels
Share IOCs via MISP or OpenCTI platforms if contributing to threat intelligence communities.
Malware analysis is a deep skill set — this introduction covers the tools and concepts for first-level triage. For deeper reverse engineering, explore IDA Pro (commercial), Ghidra (free, NSA), and the excellent resources at malwareanalysistutorials.com and the practical malware analysis book by Sikorski and Honig.