performing-static-malware-analysis-with-pe-studio

What this skill does

# Performing Static Malware Analysis with PEStudio

## When to Use

- A suspicious Windows executable has been collected and needs initial triage before sandbox execution
- You need to identify imports, strings, and resources that reveal malware functionality without running the sample
- Determining whether a PE file is packed, obfuscated, or contains anti-analysis techniques
- Extracting indicators of compromise (hashes, URLs, IPs, registry keys) embedded in a binary
- Classifying a sample's capabilities based on its import table and section characteristics

**Do not use** for dynamic behavioral analysis requiring execution; use a sandbox (Cuckoo, ANY.RUN) for runtime behavior observation.

## Prerequisites

- PEStudio (free edition from https://www.winitor.com/) installed on an isolated analysis workstation
- Python 3.8+ with `pefile` library for scripted PE analysis (`pip install pefile`)
- CFF Explorer or PE-bear as supplementary PE analysis tools
- Access to VirusTotal API for hash lookups and community intelligence
- Isolated analysis VM with no network connectivity to production systems
- FLOSS (FireEye Labs Obfuscated String Solver) for extracting obfuscated strings

## Workflow

### Step 1: Compute File Hashes and Verify Sample Integrity

Generate cryptographic hashes for identification and intelligence lookup:

```bash
# Generate MD5, SHA-1, and SHA-256 hashes
md5sum suspect.exe
sha1sum suspect.exe
sha256sum suspect.exe

# Check hash against VirusTotal
curl -s -X GET "https://www.virustotal.com/api/v3/files/$(sha256sum suspect.exe | cut -d' ' -f1)" \
  -H "x-apikey: $VT_API_KEY" | jq '.data.attributes.last_analysis_stats'

# Get file type with magic bytes verification
file suspect.exe
```

### Step 2: Examine PE Headers and Section Table

Open the sample in PEStudio and inspect structural properties:

```
PEStudio Analysis Points:
━━━━━━━━━━━━━━━━━━━━━━━━━
File Header:       Compilation timestamp, target architecture (x86/x64)
Optional Header:   Entry point address, image base, subsystem (GUI/console)
Section Table:     Section names, virtual/raw sizes, entropy values
                   High entropy (>7.0) in .text/.rsrc suggests packing
Signatures:        Authenticode signature presence and validity
```

**Scripted PE Header Analysis with pefile:**
```python
import pefile
import hashlib
import math

pe = pefile.PE("suspect.exe")

# Compilation timestamp
import datetime
timestamp = pe.FILE_HEADER.TimeDateStamp
compile_time = datetime.datetime.utcfromtimestamp(timestamp)
print(f"Compile Time: {compile_time} UTC")

# Section analysis with entropy calculation
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    entropy = section.get_entropy()
    raw_size = section.SizeOfRawData
    virtual_size = section.Misc_VirtualSize
    ratio = virtual_size / raw_size if raw_size > 0 else 0
    print(f"Section: {name:8s} Entropy: {entropy:.2f} Raw: {raw_size:>10} Virtual: {virtual_size:>10} Ratio: {ratio:.2f}")
    if entropy > 7.0:
        print(f"  [!] HIGH ENTROPY - likely packed or encrypted")
    if ratio > 10:
        print(f"  [!] HIGH V/R RATIO - unpacking stub likely present")
```

### Step 3: Analyze Import Address Table (IAT)

Identify suspicious API imports that indicate malware capabilities:

```python
# Extract and categorize imports
suspicious_imports = {
    "Process Injection": ["VirtualAllocEx", "WriteProcessMemory", "CreateRemoteThread", "NtCreateThreadEx"],
    "Keylogging": ["GetAsyncKeyState", "SetWindowsHookExA", "GetKeyState"],
    "Persistence": ["RegSetValueExA", "CreateServiceA", "SchTasksCreate"],
    "Evasion": ["IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess"],
    "Network": ["InternetOpenA", "HttpSendRequestA", "URLDownloadToFileA", "WSAStartup"],
    "File Operations": ["CreateFileA", "WriteFile", "DeleteFileA", "MoveFileA"],
    "Crypto": ["CryptEncrypt", "CryptDecrypt", "CryptAcquireContextA"],
}

for entry in pe.DIRECTORY_ENTRY_IMPORT:
    dll_name = entry.dll.decode()
    for imp in entry.imports:
        if imp.name:
            func_name = imp.name.decode()
            for category, funcs in suspicious_imports.items():
                if func_name in funcs:
                    print(f"[!] {category}: {dll_name} -> {func_name}")
```

### Step 4: Extract and Analyze Strings

Use FLOSS for obfuscated strings and standard strings extraction:

```bash
# Standard strings extraction (ASCII and Unicode)
strings -a suspect.exe > strings_ascii.txt
strings -el suspect.exe > strings_unicode.txt

# FLOSS for decoded/deobfuscated strings
floss suspect.exe --output-json floss_output.json

# Search for network indicators in strings
grep -iE "(http|https|ftp)://" strings_ascii.txt
grep -iE "([0-9]{1,3}\.){3}[0-9]{1,3}" strings_ascii.txt
grep -iE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" strings_ascii.txt

# Search for registry keys
grep -i "HKLM\\|HKCU\\|SOFTWARE\\|CurrentVersion\\Run" strings_ascii.txt

# Search for file paths and extensions
grep -iE "\.(exe|dll|bat|ps1|vbs|tmp)" strings_ascii.txt
```

### Step 5: Inspect Resources and Embedded Data

Examine the PE resource section for embedded payloads or configuration:

```python
# Extract resources from PE file
if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
    for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
        if hasattr(resource_type, 'directory'):
            for resource_id in resource_type.directory.entries:
                if hasattr(resource_id, 'directory'):
                    for resource_lang in resource_id.directory.entries:
                        data = pe.get_data(resource_lang.data.struct.OffsetToData,
                                          resource_lang.data.struct.Size)
                        entropy = calculate_entropy(data)
                        print(f"Resource Type: {resource_type.id} Size: {len(data)} Entropy: {entropy:.2f}")
                        if entropy > 7.0:
                            print(f"  [!] High entropy resource - possible embedded payload")
                        # Check for PE signature in resource (embedded executable)
                        if data[:2] == b'MZ':
                            print(f"  [!] Embedded PE detected in resource")
                            with open(f"extracted_resource_{resource_type.id}.bin", "wb") as f:
                                f.write(data)
```

### Step 6: Check for Packing and Protection

Determine if the binary is packed or protected:

```bash
# Detect packer with Detect It Easy (DIE)
diec suspect.exe

# Check with PEiD signatures (command-line version)
python3 -c "
import pefile
pe = pefile.PE('suspect.exe')
# Check for common packer section names
packer_sections = {'.upx0': 'UPX', '.aspack': 'ASPack', '.adata': 'ASPack',
                   '.nsp0': 'NsPack', '.vmprotect': 'VMProtect', '.themida': 'Themida'}
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00').lower()
    if name in packer_sections:
        print(f'[!] Packer detected: {packer_sections[name]} (section: {name})')

# Check import table size (very few imports suggest packing)
import_count = sum(len(entry.imports) for entry in pe.DIRECTORY_ENTRY_IMPORT)
if import_count < 10:
    print(f'[!] Only {import_count} imports - likely packed')
"
```

### Step 7: Generate Static Analysis Report

Compile all findings into a structured triage report:

```
Document the following for each analyzed sample:
- File identification (hashes, file type, size, compile timestamp)
- Packing/protection status and identified packer
- Suspicious imports categorized by capability
- Network indicators extracted from strings (IPs, domains, URLs)
- Embedded resources and their characteristics
- Overall threat assessment and recommended next steps (sandbox execution, YARA rule creation)
```

## Key Concepts

| Term | Definition |
|------|------------|
| **PE (Portable Executable)** | The file format for Windows executables (.exe, .dll, .sys) containing h