--- name: malware-report-writer description: Create professional malware analysis reports for enterprise security teams and incident response. Use when you need to write, structure, or improve a malware analysis report, produce executive summaries, author YARA rules, or format IOCs and detection rules for professional delivery. --- # Malware Report Writer Create professional, comprehensive malware analysis reports for enterprise security teams, incident response, and threat intelligence. ## When to Use This Skill Use this skill when the user needs to: - Create a complete malware analysis report from analysis findings - Structure analysis results into professional documentation - Write executive summaries for malware samples - Format IOCs and detection rules for delivery - Review or improve existing malware reports - Prepare report documentation for stakeholders ## Quick Start ### Creating a New Report 1. Use the report template from `assets/report_template.md` as the base structure 2. Gather all analysis artifacts: - Sample hashes and file information - Static analysis findings (strings, imports, PE structure) - Dynamic analysis observations (processes, registry, network, files) - IOCs identified - Detection rules created 3. Populate each section systematically 4. Review against best practices in `references/best_practices.md` ### Report Structure The standard report includes these sections in order: 1. **Executive Summary** - High-level overview for non-technical stakeholders 2. **Sample Information** - Basic file metadata and hashes 3. **Static Analysis** - File structure, strings, imports/exports, resources 4. **Dynamic Analysis** - Runtime behavior, system changes, network activity 5. **IOCs** - Organized by type (file, network, host indicators) 6. **Detection Rules** - YARA rules and optionally Sigma rules 7. **Malware Classification** - Family, type, capabilities 8. **Remediation and Mitigation** - Actionable response steps 9. **Technical Details** - Additional deep-dive analysis 10. **Conclusion** - Final summary and assessment 11. **References** - External resources and links 12. **Appendix** - Timeline, tools used, screenshots ## Key Principles ### Professional Quality - Use precise technical language with clear explanations - Include all three hash types (MD5, SHA1, SHA256) - Provide full context for every finding - Document methodology and tools used - Include timestamps and version information ### Professional Report Requirements Industry-standard reports require: - Complete technical documentation of malware samples - Professional format suitable for enterprise delivery - Working detection rules based on malware characteristics - Clear IOCs that can be operationalized **Critical:** The quality of your report reflects your professionalism. Allocate sufficient time for writing and review. ### Audience Awareness Structure content for multiple audiences: - **Executive Summary**: Non-technical decision makers - **Technical Sections**: Security analysts and researchers - **IOCs/Detection**: SOC teams and detection engineers - **Remediation**: Incident responders ## Writing Guidelines ### Executive Summary - 2-4 paragraphs maximum - Plain language, minimal jargon - Answer: What? How critical? What actions? - Include key findings in bullet points ### Technical Analysis - Document both positive and negative findings - Provide evidence for every claim - Use code blocks for technical artifacts - Include screenshots when they add value - Connect behaviors to specific evidence ### IOCs Section **Format:** - Group by type (file, network, host) - Include context for each indicator - Provide confidence levels if uncertain - Test IOCs for accuracy before including **Defanging (required):** All IOCs in reports MUST be defanged to prevent accidental activation: - URLs: `http` → `hxxp`, `https` → `hxxps` (e.g., `hxxps://malicious[.]example[.]com/payload`) - Domains: bracket the dot before the TLD (e.g., `evil[.]com`, `sub.domain[.]net`) - Email addresses: `@` → `[@]` (e.g., `attacker[@]evil[.]com`) - IP addresses: bracket each dot separator (e.g., `192[.]168[.]1[.]1`) **Avoid:** - Environment-specific artifacts - Personal/analyst system information - Common legitimate values - Untested indicators ### Detection Rules **YARA Rules:** - Test against sample (must detect) - Test against clean files (must not false positive) - Include metadata: author, date, description, hash - Use meaningful string and variable names - Add comments explaining detection logic - Set appropriate conditions to balance detection and false positives **Best practices:** ```yara rule Malware_Family_Variant { meta: description = "Detects Malware_Family based on C2 configuration" author = "Analyst Name" date = "2025-10-25" hash = "abc123..." reference = "Internal analysis" strings: $c2_config = { 48 8B ?? ?? ?? ?? ?? 48 8D ?? ?? } // Config access pattern $ua_string = "Mozilla/4.0 (Suspicious UA)" ascii $mutex = "Global\\UniqueMalwareMutex" wide condition: uint16(0) == 0x5A4D and // MZ header filesize < 2MB and 2 of them } ``` ### Common Mistakes to Avoid - Over-relying on automated tool output without interpretation - Listing findings without explaining significance - Missing critical hashes or file metadata - Weak or untested detection rules - Vague remediation recommendations - Poor grammar/spelling - Inconsistent formatting - Environment-specific artifacts in IOCs ## Best Practices Reference For detailed guidance on report quality, writing style, and common pitfalls, see `references/best_practices.md`. Key topics covered: - Report writing principles (clarity, completeness, objectivity) - Structure guidelines for each section - IOC quality standards - Detection rule best practices - Audience considerations - Quality checklist - Efficient workflow strategies ## Time Management Strategies For efficient malware report creation: **Recommended workflow:** - **Phase 1-2**: Analysis - Document findings continuously (don't wait) - Take screenshots and capture evidence - Create detection rules during analysis - Organize notes by report section - **Phase 3-4**: Report writing - Draft all technical sections first - Write IOCs, detection rules, remediation - Create executive summary and conclusion - Final quality check and formatting **Pro tip:** Start documenting in report format during analysis to save time. ## Quality Checklist Before submitting any report, verify: **Technical Accuracy:** - [ ] All three hash types included and verified - [ ] File paths are complete and accurate - [ ] Timestamps include timezone - [ ] Process IDs included for process activity - [ ] Tool versions documented **Detection Rules:** - [ ] YARA rules tested against sample (detects correctly) - [ ] YARA rules tested against clean files (no false positives) - [ ] Rules include complete metadata - [ ] Conditions are appropriate and not over-matching **IOCs:** - [ ] Grouped by type (file, network, host) - [ ] Context provided for each IOC - [ ] All IOCs defanged (hxxp/hxxps, [.] for domains and IPs, [@] for email) - [ ] No environment-specific artifacts - [ ] All IOCs validated **Report Quality:** - [ ] Executive summary is non-technical and actionable - [ ] All sections completed - [ ] Grammar and spelling checked - [ ] Consistent formatting throughout - [ ] Evidence supports all claims - [ ] Remediation steps are specific and prioritized **Professional Standards:** - [ ] Report is professional and enterprise-ready - [ ] Detection rules work and are well-documented - [ ] Technical details demonstrate thorough analysis - [ ] Report answers: What is it? What does it do? How to detect? How to remove? ## Output Format Create reports in Markdown format using the template structure. For professional delivery: 1. Create report in Markdown using the template 2. Convert to PDF for professional appearance (if required) 3. Ensure all sections are complete 4. Include any screenshots as appendix items 5. Verify detection rules are included and tested ## Example Usage **User request:** "Help me write a report for this ransomware sample I analyzed" **Workflow:** 1. Load the report template 2. Ask user for key findings from their analysis 3. Structure findings into appropriate sections 4. Help craft executive summary 5. Format IOCs properly 6. Review and validate YARA rules 7. Provide remediation recommendations 8. Review final report against quality checklist