Author: Lenny Zeltser | License: Creative Commons v3 “Attribution”
More at zeltser.com/cheat-sheets

1. Malware Analysis Process

Overview of the Malware Analysis Process

  1. Use automated analysis sandbox tools for an initial assessment of the suspicious file.
  2. Set up a controlled, isolated laboratory in which to examine the malware specimen.
  3. Examine static properties and metadata of the specimen for triage and early theories.
  4. Emulate code execution to identify malicious capabilities and contemplate next steps.
  5. Perform behavioural analysis to examine the specimen’s interactions with its environment.
  6. Analyze relevant aspects of the code statically with a disassembler and decompiler.
  7. Perform dynamic code analysis to understand difficult aspects of the code.
  8. If necessary, unpack the specimen.
  9. Repeat steps 4–8 until analysis objectives are met.
  10. Augment your analysis using methods like memory forensics and threat intel.
  11. Document findings, save analysis artifacts, and clean up the laboratory.

Behavioural Analysis

  • Use virtualisation tools for system snapshots (Clonezilla, PXE, FOG, dd).
  • Monitor local interactions:
    • Process Hacker, Process Monitor, ProcDOT, Noriben
  • Detect system changes:
    • RegShot, Autoruns
  • Monitor network traffic:
    • Wireshark, Fiddler
  • Redirect traffic:
    • fakedns, accept-all-ips
  • Simulate services:
    • INetSim or actual service setup

Ghidra for Static Code Analysis

Action Shortcut
Go to location g
Show references Ctrl+Shift+F
Insert comment ;
Follow jump or call Enter
Previous/Next location Alt+Left / Alt+Right
Undo Ctrl+Z
Define data type t
Add bookmark Ctrl+D
Text search Ctrl+Shift+E
Add/edit label l
Disassemble d

x64dbg/x32dbg for Dynamic Code Analysis

Action Shortcut/Command
Run code F9
Step into / over F7 / F8
Execute until instruction F4
Execute until return Ctrl+F9
Previous/Next executed instruction - / +
Return to previous view *
Go to expression Ctrl+G
Comment / Label ; / :
Show current function graph g
Set breakpoint (instruction/API) F2 / SetBPX APIName
Highlight occurrences h and click keyword
Assemble instruction Spacebar
Edit data in memory Ctrl+E
Extract API call references Right-click → Search for → Current module → Intermodular calls

Unpacking Malicious Code

  • Detect packing: Detect It Easy, Exeinfo PE, Bytehist, peframe
  • Quick unpack: Infect VM and dump memory with Scylla
  • Precise unpack:
    • Find OEP (Original Entry Point) via debugger
    • Use OllyDumpEx
    • Set breakpoints on APIs: LoadLibrary, VirtualAlloc, etc.
    • Use memory breakpoints at stack entry
  • Rebuild dumped file with Scylla, pe_unmapper
  • If dumping fails, use dynamic analysis live

Bypassing Other Analysis Defences

  • Decode obfuscated strings:
    • Static: FLOSS, xorsearch, Balbuzard
    • Runtime: Set breakpoints and inspect memory
  • Hide analysis tools: Use ScyllaHide plugin for x64dbg
  • Patch out anti-analysis code manually
  • Watch for tricky control flows: TLS, SEH, RET, CALL
  • Use scdbg and runsc for shellcode
  • Disable ASLR with setdllcharacteristics, CFF Explorer

2. Analyzing Malicious Documents

General Approach to Document Analysis

  1. Examine the document for anomalies, such as risky tags, scripts, and embedded artifacts.
  2. Locate embedded code, such as shellcode, macros, JavaScript, or other suspicious objects.
  3. Extract suspicious code or objects from the file.
  4. If relevant, deobfuscate and examine macros, JavaScript, or other embedded code.
  5. If relevant, emulate, disassemble and/or debug extracted shellcode.
  6. Understand the next steps in the infection chain.

Microsoft Office Format Notes

  • OLE2 Format (.doc, .xls, etc.): Binary; can store older macro versions in SRP streams.
  • OOXML Format (.docx, .xlsm, etc.): ZIP-compressed; VBA inside OLE2 binary within ZIP.
  • XLM Macros: Excel formulas, even without binary OLE2 stream.
  • RTF: No macros, but supports embedded malicious objects.

Useful MS Office File Analysis Commands

zipdump.py file.pptx                  # Examine OOXML contents
zipdump.py file.pptx -s 3 -d          # Extract file index 3
olevba file.xlsm                      # Extract macros
oledump.py file.xls -i                # List OLE2 streams
oledump.py file.xls -s 3 -v           # Extract VBA code
xmldump.py pretty                     # Format XML for analysis
oledump.py file.xls -p plugin_http_heuristics   # Find obfuscated URLs
vmonkey file.doc                      # Emulate macro execution
evilclippy -uu file.ppt               # Remove macro password
msoffcrypto-tool infile.docm outfile.docm -p    # Decrypt file
pcodedmp file.doc                     # Disassemble stomped VBA
pcode2code file.doc                   # Decompile stomped VBA

Risky PDF Keywords

  • /OpenAction, /AA: Auto-run scripts
  • /JavaScript, /JS, /AcroForm, /XFA: Embedded scripts
  • /URI, /SubmitForm, /GoToR: URL redirection
  • /ObjStm, /XObject: Hidden objects or images (phishing)
  • Be mindful of hex obfuscation (e.g. /J#61vaScript)

Useful PDF File Analysis Commands

pdfid.py file.pdf -n                  # Show risky keywords
pdf-parser.py file.pdf -a            # Show stats
pdf-parser.py file.pdf -o ID         # Display object ID
pdf-parser.py file.pdf -r ID         # Objects referencing ID
qpdf --password=pass --decrypt infile.pdf outfile.pdf

Shellcode and Other Analysis Commands

xorsearch -W -d 3 file.bin           # Locate shellcode
scdbgc /f file.bin                   # Emulate shellcode
runsc32 -f file.bin -n               # Execute shellcode
base64dump.py file.txt               # Detect base64 strings
numbers-to-string.py file            # Convert encoded numbers

Additional Document Analysis Tools

  • JavaScript Deobfuscation: SpiderMonkey, cscript, box-js
  • Office Macro Debugging: Use built-in debugger in isolation
  • Macro Monitoring: AMSIScriptContentRetrieval.ps1
  • Automation: Use sandbox environments
  • Distributions: REMnux includes many free analysis tools

3. Reverse Engineering Malicious Code

Overview of the Code Analysis Process

  1. Examine static properties of the executable.
  2. Identify strings and API calls for suspicious indicators.
  3. Use behavioural analysis (manual + automated).
  4. Emulate to find characteristics.
  5. Statical disassembly + decompilation.
  6. Dynamic debugging of API usage.
  7. Unpack code if needed.
  8. Annotate functions, rename variables.
  9. Expand analysis based on known code.
  10. Repeat steps 5–9 until objectives are met.

Common 32-Bit Registers and Uses

Register Purpose
EAX General purpose (math, return values)
ECX Loop counter
EBP Stack frame base
ESP Stack top pointer
EIP Instruction pointer
EFLAGS Flags from arithmetic logic
FS Thread environment block (e.g., FS:[0])

Common x86 Assembly Instructions

mov EAX, 0xB8       ; Load value into register
push EAX            ; Push onto stack
pop EAX             ; Pop from stack
lea EAX, [EBP-4]    ; Load effective address
call EAX            ; Call function by address
add ESP, 8          ; Adjust stack
xor EAX, EAX        ; Zero a register
test EAX, EAX       ; Check if zero
cmp EAX, 0xB8       ; Compare values

Understanding 64-Bit Registers

  • 32-bit → 64-bit: EAX → RAX, ECX → RCX, etc.
  • Registers R8–R15 added
  • Argument passing:
    • RCX, RDX, R8, R9 on 64-bit
    • [EBP+8], [EBP+0xC]… on 32-bit

Decoding Conditional Jumps

Mnemonic Meaning
JA/JG Jump if above/greater
JB/JL Jump if below/less
JE/JZ Jump if equal (zero)
JNE/JNZ Jump if not equal (not zero)
JGE/JNL Jump if greater or equal

Risky Windows API Calls

  • Code injection: CreateRemoteThread, WriteProcessMemory
  • DLL loading: LoadLibrary, GetProcAddress
  • Data theft: GetClipboardData, GetWindowText
  • Keylogging: GetAsyncKeyState, SetWindowsHookEx
  • Self-injection: VirtualAlloc, VirtualProtect
  • Execution: CreateProcess, WinExec
  • Web traffic: InternetOpen, HttpSendRequest

Additional Code Analysis Tips

  • Use dynamic analysis if static stalls
  • Map control flow via jumps and calls
  • Prefer simplicity: work from known to unknown
  • Research official & native API names (Nt*, Zw*, Rtl*)

4. Tooling

Analyze Windows Executables

Reverse-Engineer Linux Binaries

Investigate Other Forms of Malicious Code

Examine Suspicious Documents

Explore Network Interactions

Gather and Analyze Data

Other Analysis Tasks – Memory Forensics & File Utilities

5. REMnux Tips for Malware Analysis on Linux

Get Started with REMnux

  • Install REMnux via VM, dedicated system, or on existing distro
  • Docs: docs.remnux.org
  • Keep updated: remnux upgrade and remnux update
  • Use Docker-based tools
  • Default login: remnux/malware

Operate Your REMnux System

shutdown             # Power off
reboot               # Reboot
sudo -s              # Root shell
renew-dhcp           # Renew DHCP lease
myip                 # Show IP address
code file            # Edit text
feh file             # View image
httpd start          # Start web server
sshd start           # Start SSH

Use Docker Containers for Analysis

  • remnux/thug, remnux/jsdetox, remnux/retdec
  • remnux/viper, remnux/radare2

Interact with Docker Images

docker images             # List images
docker pull <image>       # Update image
docker rmi <image_id>     # Remove image
docker system prune       # Clean up
docker run --rm -it image bash            # Run container shell
docker run -p 80:80 image bash            # Map port
docker run -v .:/data image bash          # Mount directory