Malware Analysis Cheat Sheet

Author: Lenny Zeltser | License: Creative Commons v3 “Attribution”
More at zeltser.com/cheat-sheets

1. Malware Analysis Process

#

Overview of the Malware Analysis Process

#

1. Use automated analysis sandbox tools for an initial assessment of the suspicious file.
2. Set up a controlled, isolated laboratory in which to examine the malware specimen.
3. Examine static properties and metadata of the specimen for triage and early theories.
4. Emulate code execution to identify malicious capabilities and contemplate next steps.
5. Perform behavioural analysis to examine the specimen’s interactions with its environment.
6. Analyze relevant aspects of the code statically with a disassembler and decompiler.
7. Perform dynamic code analysis to understand difficult aspects of the code.
8. If necessary, unpack the specimen.
9. Repeat steps 4–8 until analysis objectives are met.
10. Augment your analysis using methods like memory forensics and threat intel.
11. Document findings, save analysis artifacts, and clean up the laboratory.

Behavioural Analysis

#

• Use virtualisation tools for system snapshots (Clonezilla, PXE, FOG, dd).
• Monitor local interactions:
  • Process Hacker, Process Monitor, ProcDOT, Noriben
• Detect system changes:
  • RegShot, Autoruns
• Monitor network traffic:
  • Wireshark, Fiddler
• Redirect traffic:
  • fakedns, accept-all-ips
• Simulate services:
  • INetSim or actual service setup

Ghidra for Static Code Analysis

#

x64dbg/x32dbg for Dynamic Code Analysis

#

Unpacking Malicious Code

#

• Detect packing: Detect It Easy, Exeinfo PE, Bytehist, peframe
• Quick unpack: Infect VM and dump memory with Scylla
• Precise unpack:
  • Find OEP (Original Entry Point) via debugger
  • Use OllyDumpEx
  • Set breakpoints on APIs: LoadLibrary, VirtualAlloc, etc.
  • Use memory breakpoints at stack entry
• Rebuild dumped file with Scylla, pe_unmapper
• If dumping fails, use dynamic analysis live

Bypassing Other Analysis Defences

#

• Decode obfuscated strings:
  • Static: FLOSS, xorsearch, Balbuzard
  • Runtime: Set breakpoints and inspect memory
• Hide analysis tools: Use ScyllaHide plugin for x64dbg
• Patch out anti-analysis code manually
• Watch for tricky control flows: TLS, SEH, RET, CALL
• Use scdbg and runsc for shellcode
• Disable ASLR with setdllcharacteristics, CFF Explorer

2. Analyzing Malicious Documents

#

General Approach to Document Analysis

#

1. Examine the document for anomalies, such as risky tags, scripts, and embedded artifacts.
2. Locate embedded code, such as shellcode, macros, JavaScript, or other suspicious objects.
3. Extract suspicious code or objects from the file.
4. If relevant, deobfuscate and examine macros, JavaScript, or other embedded code.
5. If relevant, emulate, disassemble and/or debug extracted shellcode.
6. Understand the next steps in the infection chain.

Microsoft Office Format Notes

#

• OLE2 Format (.doc, .xls, etc.): Binary; can store older macro versions in SRP streams.
• OOXML Format (.docx, .xlsm, etc.): ZIP-compressed; VBA inside OLE2 binary within ZIP.
• XLM Macros: Excel formulas, even without binary OLE2 stream.
• RTF: No macros, but supports embedded malicious objects.

Useful MS Office File Analysis Commands

#

zipdump.py file.pptx                  # Examine OOXML contents
zipdump.py file.pptx -s 3 -d          # Extract file index 3
olevba file.xlsm                      # Extract macros
oledump.py file.xls -i                # List OLE2 streams
oledump.py file.xls -s 3 -v           # Extract VBA code
xmldump.py pretty                     # Format XML for analysis
oledump.py file.xls -p plugin_http_heuristics   # Find obfuscated URLs
vmonkey file.doc                      # Emulate macro execution
evilclippy -uu file.ppt               # Remove macro password
msoffcrypto-tool infile.docm outfile.docm -p    # Decrypt file
pcodedmp file.doc                     # Disassemble stomped VBA
pcode2code file.doc                   # Decompile stomped VBA

Risky PDF Keywords

#

• /OpenAction, /AA: Auto-run scripts
• /JavaScript, /JS, /AcroForm, /XFA: Embedded scripts
• /URI, /SubmitForm, /GoToR: URL redirection
• /ObjStm, /XObject: Hidden objects or images (phishing)
• Be mindful of hex obfuscation (e.g. /J#61vaScript)

Useful PDF File Analysis Commands

#

pdfid.py file.pdf -n                  # Show risky keywords
pdf-parser.py file.pdf -a            # Show stats
pdf-parser.py file.pdf -o ID         # Display object ID
pdf-parser.py file.pdf -r ID         # Objects referencing ID
qpdf --password=pass --decrypt infile.pdf outfile.pdf

Shellcode and Other Analysis Commands

#

xorsearch -W -d 3 file.bin           # Locate shellcode
scdbgc /f file.bin                   # Emulate shellcode
runsc32 -f file.bin -n               # Execute shellcode
base64dump.py file.txt               # Detect base64 strings
numbers-to-string.py file            # Convert encoded numbers

Additional Document Analysis Tools

#

• JavaScript Deobfuscation: SpiderMonkey, cscript, box-js
• Office Macro Debugging: Use built-in debugger in isolation
• Macro Monitoring: AMSIScriptContentRetrieval.ps1
• Automation: Use sandbox environments
• Distributions: REMnux includes many free analysis tools

3. Reverse Engineering Malicious Code

#

Overview of the Code Analysis Process

#

1. Examine static properties of the executable.
2. Identify strings and API calls for suspicious indicators.
3. Use behavioural analysis (manual + automated).
4. Emulate to find characteristics.
5. Statical disassembly + decompilation.
6. Dynamic debugging of API usage.
7. Unpack code if needed.
8. Annotate functions, rename variables.
9. Expand analysis based on known code.
10. Repeat steps 5–9 until objectives are met.

Common 32-Bit Registers and Uses

#

Common x86 Assembly Instructions

#

mov EAX, 0xB8       ; Load value into register
push EAX            ; Push onto stack
pop EAX             ; Pop from stack
lea EAX, [EBP-4]    ; Load effective address
call EAX            ; Call function by address
add ESP, 8          ; Adjust stack
xor EAX, EAX        ; Zero a register
test EAX, EAX       ; Check if zero
cmp EAX, 0xB8       ; Compare values

Understanding 64-Bit Registers

#

• 32-bit → 64-bit: EAX → RAX, ECX → RCX, etc.
• Registers R8–R15 added
• Argument passing:
  • RCX, RDX, R8, R9 on 64-bit
  • [EBP+8], [EBP+0xC]… on 32-bit

Decoding Conditional Jumps

#

Risky Windows API Calls

#

• Code injection: CreateRemoteThread, WriteProcessMemory
• DLL loading: LoadLibrary, GetProcAddress
• Data theft: GetClipboardData, GetWindowText
• Keylogging: GetAsyncKeyState, SetWindowsHookEx
• Self-injection: VirtualAlloc, VirtualProtect
• Execution: CreateProcess, WinExec
• Web traffic: InternetOpen, HttpSendRequest

Additional Code Analysis Tips

#

• Use dynamic analysis if static stalls
• Map control flow via jumps and calls
• Prefer simplicity: work from known to unknown
• Research official & native API names (Nt*, Zw*, Rtl*)

4. Tooling

#

Analyze Windows Executables

#

• Static: manalyze, peframe, pefile, exiftool, clamscan, pescan, portex, bearcommander, pecheck
• Strings & Deobfuscation: pestr, bbcrack, brxor.py, base64dump, xorsearch, flarestrings, floss, cyberchef
• Emulation: binee, capa, vivbin
• Disassemblers: ghidra, cutter, objdump, r2
• Unpackers: bytehist, de4dot, upx

Reverse-Engineer Linux Binaries

#

• Static: trid, exiftool, pyew, readelf.py
• Disassemblers: ghidra, cutter, objdump, r2
• Debuggers: edb, gdb
• Runtime tools: ltrace, strace, frida, sysdig, unhide

Investigate Other Forms of Malicious Code

#

• Android: apktool, droidlysis, androgui.py, baksmali, dex2jar
• Java: cfr, procyon, jad, jd-gui, idx_parser.py
• Python: pyinstxtractor.py, pycdc
• JavaScript: js, js-file, objects.js, box-js
• Shellcode: shellcode2exe.bat, scdbg, xorsearch
• PowerShell: pwsh, base64dump
• Flash: swfdump, flare, flasm, swf_mastah.py, xxxswf

Examine Suspicious Documents

#

• Office: vmonkey, pcodedmp, olevba, xlmdeobfuscator, oledump.py, msoffice-crypt, ssview
• RTF: rtfobj, rtfdump
• Emails: emldump, msgconvert
• PDFs: pdfid, pdfparser, pdfextract, pdfdecrypt, peepdf, pdftk, pdfresurrect, qpdf, pdfobjflow
• General: base64dump, tesseract, exiftool

Explore Network Interactions

#

• Monitoring: burpsuite, networkminer, polarproxy, mitmproxy, wireshark, tshark, ngrep, tcpxtract, tcpick
• Connecting: thug, nc, tor, wget, curl, irc, ssh, unfurl
• Services: fakedns, fakemail, accept-all-ips, nc, httpd, inetsim, fakenet, sshd, myip

Gather and Analyze Data

#

• Network: Automater.py, shodan, ipwhois_cli.py, pdnstool
• Hashes: malwoverview.py, nsrllookup, Automater.py, vt, virustotal-search.py
• Files: yara, scalpel, bulk_extractor, ioc_writer
• Other: dexray, viper, time-decode.py

Other Analysis Tasks – Memory Forensics & File Utilities

#

• Memory Forensics: vol.py, vol3, linux_mem_diff.py, aeskeyfind, rsakeyfind, bulk_extractor
• File Editors: wxHexEditor, scite, code, xpdf, convert
• Extractors: 7z, unzip, unrar, cabextract

5. REMnux Tips for Malware Analysis on Linux

#

Get Started with REMnux

#

• Install REMnux via VM, dedicated system, or on existing distro
• Docs: docs.remnux.org
• Keep updated: remnux upgrade and remnux update
• Use Docker-based tools
• Default login: remnux/malware

Operate Your REMnux System

#

shutdown             # Power off
reboot               # Reboot
sudo -s              # Root shell
renew-dhcp           # Renew DHCP lease
myip                 # Show IP address
code file            # Edit text
feh file             # View image
httpd start          # Start web server
sshd start           # Start SSH

Use Docker Containers for Analysis

#

• remnux/thug, remnux/jsdetox, remnux/retdec
• remnux/viper, remnux/radare2

Interact with Docker Images

#

docker images             # List images
docker pull <image>       # Update image
docker rmi <image_id>     # Remove image
docker system prune       # Clean up
docker run --rm -it image bash            # Run container shell
docker run -p 80:80 image bash            # Map port
docker run -v .:/data image bash          # Mount directory