Read as
Why this module exists. Static analysis is the first pass on any malware sample — what you can learn without executing it. Strings, PE/ELF header inspection, imports, embedded resources, and YARA rules surface 70% of what the sample is going to do. This module is the operational workflow: tools, what to look for, and when to escalate to dynamic analysis.
Why this module exists. Running unknown malware on your laptop is how new IR responders become old IR responders. Static analysis is the lower-risk first cut: you learn whether the sample is interesting, what platform and architecture it targets, and what plausible behaviour it has — before you commit a sandbox to it.
The five-minute triage
# 1. What is it?
file sample.bin
# PE32+ executable (console) x86-64, for MS Windows
# OR
# ELF 64-bit LSB shared object, x86-64, dynamically linked
# 2. Hash it — match against VT, Hybrid Analysis, MalwareBazaar
sha256sum sample.bin
# Compare against public threat intel; known sample saves hours
# 3. Strings — interesting embedded text
strings -n 8 sample.bin | grep -iE 'http|\\.exe|cmd|powershell|c:\\\\|tmp|registry|admin'
# Look for: C2 URLs, dropper paths, command snippets, registry keys
# 4. Imports / exports
# Windows
pefile sample.bin --imports
# Linux
readelf -d sample.bin | grep NEEDED
# 5. Compile timestamp + sections
pefile sample.bin --time-date-stamp --sectionsWorried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants