Malware Analysis
What is Malware Analysis?
Malware AnalysisThe structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
Malware analysis combines static, dynamic, and behavioral techniques. Static analysis inspects strings, imports, headers, and disassembly without executing the binary (PE-bear, CFF Explorer, capa, YARA). Dynamic analysis runs the sample in an isolated sandbox (Cuckoo, ANY.RUN, Joe Sandbox, FLARE-VM) and records process trees, network beacons, registry edits, and dropped files. Deeper investigations move to debugging and code reversing in IDA Pro, Ghidra, or x64dbg, while automated triage uses YARA, Capa, and ssdeep similarity hashing. Outputs feed IoCs, ATT&CK mappings, detection rules, and remediation guidance, and support incident-response decisions on scope, eradication, and reporting.
● Examples
- 01
Detonating a suspicious .docm in a Cuckoo sandbox and extracting C2 URLs from network traffic.
- 02
Reverse engineering a loader in Ghidra to identify the API hashing routine and decoded payload.
● Frequently asked questions
What is Malware Analysis?
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems. It belongs to the Forensics & IR category of cybersecurity.
What does Malware Analysis mean?
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
How do you defend against Malware Analysis?
Defences for Malware Analysis typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Malware Analysis?
Common alternative names include: Malware reverse engineering, Sample analysis.