Static Malware Analysis: Helpful Tools for Assessing Emails as a Popular Gateway
The work of a digital forensic scientist or Reverse Engineers is divided into several phases of malware analysis. The first step is an OSINT analysis (Open Source Intelligence), which gives an overview of what you are dealing with. The second step is a fully automatic analysis with the appropriate software. Once these steps have been completed, an examination of the static properties of the malware usually follows.
Without running or opening the file, this step attempts to extract the file’s properties using various tools. This includes the cryptographic hash, the character strings and resources it contains, the certificates and the imported and exported functions. It is also checked whether the file has been packed.
The aim is to assess whether the file is actually malicious and to formulate hypotheses about its capabilities. In this way, an action plan can be developed to examine the file more closely in later phases and to justify further investigations. Such an analysis is usually quick and offers an easy way to become familiar with the file to be analyzed.
One popular gateway for malware is through emails. Therefore, it’s necessary to examine emails in a static analysis to determine their properties and the potential for malicious content. The OLE toolbox and PDF analysis are helpful tools for this type of analysis.
The OLE toolbox is useful for analyzing Office documents that contain macros. It can extract the properties of the file without running or executing the macro. This includes the hash and other static information. With this information, a hypothesis can be formed about the capabilities of the file.
PDF analysis is another useful tool for static analysis. PDF documents can contain malicious code, which can exploit vulnerabilities in the reader. Static analysis of PDFs can provide insight into the document’s properties before it is executed.
Reading out PE information is also important in static malware analysis. PE stands for Portable Executable, which is a file format for executable files, object code, and DLLs used in 32-bit and 64-bit versions of Windows operating systems. The PE information can include strings, imports, exports, and other static data that can be used to identify malicious files.
Finally, examining the packer is also critical in static malware analysis. Packers are used to compress or encrypt executable files, making them harder to detect and analyze. By examining the packer, the analyst can determine if the file is packed and which packer was used.
In summary, static malware analysis is an important phase in digital forensics and incident response. By using helpful tools like the OLE toolbox, PDF analysis, reading out PE information, and examining the packer, analysts can extract information from files without running or opening them. This information can be used to assess whether the file is malicious and to formulate hypotheses about its capabilities.
