--- name: performing-static-malware-analysis-with-pe-studio description: 'Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, PE file inspection, Windows executable analysis, or pre-execution malware triage. ' domain: cybersecurity subdomain: malware-analysis tags: - malware - static-analysis - PE-analysis - PEStudio - reverse-engineering version: 1.0.0 author: mahipal license: Apache-2.0 nist_csf: - DE.AE-02 - RS.AN-03 - ID.RA-01 - DE.CM-01 --- # Performing Static Malware Analysis with PEStudio ## When to Use - A suspicious Windows executable has been collected and needs initial triage before sandbox execution - You need to identify imports, strings, and resources that reveal malware functionality without running the sample - Determining whether a PE file is packed, obfuscated, or contains anti-analysis techniques - Extracting indicators of compromise (hashes, URLs, IPs, registry keys) embedded in a binary - Classifying a sample's capabilities based on its import table and section characteristics **Do not use** for dynamic behavioral analysis requiring execution; use a sandbox (Cuckoo, ANY.RUN) for runtime behavior observation. ## Prerequisites - PEStudio (free edition from https://www.winitor.com/) installed on an isolated analysis workstation - Python 3.8+ with `pefile` library for scripted PE analysis (`pip install pefile`) - CFF Explorer or PE-bear as supplementary PE analysis tools - Access to VirusTotal API for hash lookups and community intelligence - Isolated analysis VM with no network connectivity to production systems - FLOSS (FireEye Labs Obfuscated String Solver) for extracting obfuscated strings ## Workflow ### Step 1: Compute File Hashes and Verify Sample Integrity Generate cryptographic hashes for identification and intelligence lookup: ```bash # Generate MD5, SHA-1, and SHA-256 hashes md5sum suspect.exe sha1sum suspect.exe sha256sum suspect.exe # Check hash against VirusTotal curl -s -X GET "https://www.virustotal.com/api/v3/files/$(sha256sum suspect.exe | cut -d' ' -f1)" \ -H "x-apikey: $VT_API_KEY" | jq '.data.attributes.last_analysis_stats' # Get file type with magic bytes verification file suspect.exe ``` ### Step 2: Examine PE Headers and Section Table Open the sample in PEStudio and inspect structural properties: ``` PEStudio Analysis Points: ━━━━━━━━━━━━━━━━━━━━━━━━━ File Header: Compilation timestamp, target architecture (x86/x64) Optional Header: Entry point address, image base, subsystem (GUI/console) Section Table: Section names, virtual/raw sizes, entropy values High entropy (>7.0) in .text/.rsrc suggests packing Signatures: Authenticode signature presence and validity ``` **Scripted PE Header Analysis with pefile:** ```python import pefile import hashlib import math pe = pefile.PE("suspect.exe") # Compilation timestamp import datetime timestamp = pe.FILE_HEADER.TimeDateStamp compile_time = datetime.datetime.utcfromtimestamp(timestamp) print(f"Compile Time: {compile_time} UTC") # Section analysis with entropy calculation for section in pe.sections: name = section.Name.decode().rstrip('\x00') entropy = section.get_entropy() raw_size = section.SizeOfRawData virtual_size = section.Misc_VirtualSize ratio = virtual_size / raw_size if raw_size > 0 else 0 print(f"Section: {name:8s} Entropy: {entropy:.2f} Raw: {raw_size:>10} Virtual: {virtual_size:>10} Ratio: {ratio:.2f}") if entropy > 7.0: print(f" [!] HIGH ENTROPY - likely packed or encrypted") if ratio > 10: print(f" [!] HIGH V/R RATIO - unpacking stub likely present") ``` ### Step 3: Analyze Import Address Table (IAT) Identify suspicious API imports that indicate malware capabilities: ```python # Extract and categorize imports suspicious_imports = { "Process Injection": ["VirtualAllocEx", "WriteProcessMemory", "CreateRemoteThread", "NtCreateThreadEx"], "Keylogging": ["GetAsyncKeyState", "SetWindowsHookExA", "GetKeyState"], "Persistence": ["RegSetValueExA", "CreateServiceA", "SchTasksCreate"], "Evasion": ["IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess"], "Network": ["InternetOpenA", "HttpSendRequestA", "URLDownloadToFileA", "WSAStartup"], "File Operations": ["CreateFileA", "WriteFile", "DeleteFileA", "MoveFileA"], "Crypto": ["CryptEncrypt", "CryptDecrypt", "CryptAcquireContextA"], } for entry in pe.DIRECTORY_ENTRY_IMPORT: dll_name = entry.dll.decode() for imp in entry.imports: if imp.name: func_name = imp.name.decode() for category, funcs in suspicious_imports.items(): if func_name in funcs: print(f"[!] {category}: {dll_name} -> {func_name}") ``` ### Step 4: Extract and Analyze Strings Use FLOSS for obfuscated strings and standard strings extraction: ```bash # Standard strings extraction (ASCII and Unicode) strings -a suspect.exe > strings_ascii.txt strings -el suspect.exe > strings_unicode.txt # FLOSS for decoded/deobfuscated strings floss suspect.exe --output-json floss_output.json # Search for network indicators in strings grep -iE "(http|https|ftp)://" strings_ascii.txt grep -iE "([0-9]{1,3}\.){3}[0-9]{1,3}" strings_ascii.txt grep -iE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" strings_ascii.txt # Search for registry keys grep -i "HKLM\\|HKCU\\|SOFTWARE\\|CurrentVersion\\Run" strings_ascii.txt # Search for file paths and extensions grep -iE "\.(exe|dll|bat|ps1|vbs|tmp)" strings_ascii.txt ``` ### Step 5: Inspect Resources and Embedded Data Examine the PE resource section for embedded payloads or configuration: ```python # Extract resources from PE file if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'): for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries: if hasattr(resource_type, 'directory'): for resource_id in resource_type.directory.entries: if hasattr(resource_id, 'directory'): for resource_lang in resource_id.directory.entries: data = pe.get_data(resource_lang.data.struct.OffsetToData, resource_lang.data.struct.Size) entropy = calculate_entropy(data) print(f"Resource Type: {resource_type.id} Size: {len(data)} Entropy: {entropy:.2f}") if entropy > 7.0: print(f" [!] High entropy resource - possible embedded payload") # Check for PE signature in resource (embedded executable) if data[:2] == b'MZ': print(f" [!] Embedded PE detected in resource") with open(f"extracted_resource_{resource_type.id}.bin", "wb") as f: f.write(data) ``` ### Step 6: Check for Packing and Protection Determine if the binary is packed or protected: ```bash # Detect packer with Detect It Easy (DIE) diec suspect.exe # Check with PEiD signatures (command-line version) python3 -c " import pefile pe = pefile.PE('suspect.exe') # Check for common packer section names packer_sections = {'.upx0': 'UPX', '.aspack': 'ASPack', '.adata': 'ASPack', '.nsp0': 'NsPack', '.vmprotect': 'VMProtect', '.themida': 'Themida'} for section in pe.sections: name = section.Name.decode().rstrip('\x00').lower() if name in packer_sections: print(f'[!] Packer detected: {packer_sections[name]} (section: {name})') # Check import table size (very few imports suggest packing) import_count = sum(len(entry.imports) for entry in pe.DIRECTORY_ENTRY_IMPORT) if import_count < 10: print(f'[!] Only {import_count} imports - likely packed') " ``` ### Step 7: Generate Static Analysis Report Compile all findings into a structured triage report: ``` Document the following for each analyzed sample: - File identification (hashes, file type, size, compile timestamp) - Packing/protection status and identified packer - Suspicious imports categorized by capability - Network indicators extracted from strings (IPs, domains, URLs) - Embedded resources and their characteristics - Overall threat assessment and recommended next steps (sandbox execution, YARA rule creation) ``` ## Key Concepts | Term | Definition | |------|------------| | **PE (Portable Executable)** | The file format for Windows executables (.exe, .dll, .sys) containing headers, sections, imports, and resources that define how the OS loads the binary | | **Import Address Table (IAT)** | PE structure listing external DLL functions the executable calls at runtime; reveals program capabilities and intent | | **Section Entropy** | Statistical measure of randomness in a PE section; values above 7.0 (out of 8.0) indicate compression, encryption, or packing | | **FLOSS** | FireEye Labs Obfuscated String Solver; automatically extracts and decodes obfuscated strings that standard `strings` misses | | **Packing** | Compression or encryption of a PE file's code section to hinder static analysis; requires runtime unpacking stub to execute | | **PE Resources** | Data section within a PE file that can contain icons, dialogs, version info, or attacker-embedded payloads and configuration data | | **Compilation Timestamp** | Timestamp in the PE header indicating when the binary was compiled; can be forged but often reveals development timeline | ## Tools & Systems - **PEStudio**: Free Windows tool for static analysis of PE files providing indicators, imports, strings, and resource inspection in a single interface - **pefile (Python)**: Python library for parsing and analyzing PE file structures programmatically for automated analysis pipelines - **FLOSS**: FireEye tool that extracts obfuscated strings from malware using static analysis techniques including stack string decoding - **Detect It Easy (DIE)**: Packer and compiler detection tool that identifies protectors, compilers, and linkers used to build PE files - **CFF Explorer**: Advanced PE editor and viewer for detailed inspection of PE headers, sections, imports, and resource directories ## Common Scenarios ### Scenario: Triaging a Suspicious Email Attachment **Context**: SOC receives an alert on a suspicious executable attached to a phishing email. The file needs rapid triage to determine if it is malicious before committing sandbox resources. **Approach**: 1. Compute SHA-256 hash and query VirusTotal for existing detections and community comments 2. Open in PEStudio and check the indicators tab for red/yellow flagged items 3. Verify compile timestamp (future dates or dates from 1970 indicate timestamp manipulation) 4. Check imports for VirtualAllocEx, CreateRemoteThread (injection), URLDownloadToFileA (downloader) 5. Extract strings and search for C2 URLs, IP addresses, and file paths 6. Check resources for embedded PE files or high-entropy data blobs 7. Assess packing status; if packed, note the packer and plan for unpacking before deeper analysis **Pitfalls**: - Trusting the PE compile timestamp without corroborating evidence (timestamps are trivially forged) - Concluding a file is benign because it has few suspicious imports (packed malware hides real imports) - Missing Unicode strings by only running ASCII string extraction - Not checking overlay data appended after the last PE section (common hiding spot for configuration data) ## Output Format ``` STATIC MALWARE ANALYSIS REPORT ================================= Sample: suspect.exe MD5: d41d8cd98f00b204e9800998ecf8427e SHA-256: e3b0c44298fc1c149afbf4c8996fb924... File Size: 245,760 bytes File Type: PE32 executable (GUI) Intel 80386 Compile Time: 2025-09-14 08:23:15 UTC PACKING STATUS Packer Detected: None (native binary) Section Entropy: .text=6.42 .rdata=4.89 .data=3.21 .rsrc=7.81 Note: .rsrc section entropy elevated - check resources SUSPICIOUS IMPORTS [INJECTION] kernel32.dll -> VirtualAllocEx [INJECTION] kernel32.dll -> WriteProcessMemory [INJECTION] kernel32.dll -> CreateRemoteThread [EVASION] kernel32.dll -> IsDebuggerPresent [NETWORK] wininet.dll -> InternetOpenA [NETWORK] wininet.dll -> HttpSendRequestA [PERSISTENCE] advapi32.dll -> RegSetValueExA EXTRACTED INDICATORS URLs: hxxps://update.malicious[.]com/gate.php IPs: 185.220.101[.]42, 91.215.85[.]17 Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost File Paths: C:\Users\Public\svchost.exe EMBEDDED RESOURCES Resource 101: Size=98304 Entropy=7.89 [!] Embedded PE detected Resource 102: Size=4096 Entropy=2.14 (configuration XML) ASSESSMENT Threat Level: HIGH Classification: Dropper with process injection capabilities Recommended: Execute in sandbox, extract embedded PE for separate analysis ```