performing-static-malware-analysis-with-pe-studio

Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, PE file inspection, Windows executable analysis, or pre-execution malware triage.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

performing-static-malware-analysis-with-pe-studio is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using performing-static-malware-analysis-with-pe-studio should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How performing-static-malware-analysis-with-pe-studio Compares

Feature / Agent	performing-static-malware-analysis-with-pe-studio	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Performing Static Malware Analysis with PEStudio

## When to Use

- A suspicious Windows executable has been collected and needs initial triage before sandbox execution
- You need to identify imports, strings, and resources that reveal malware functionality without running the sample
- Determining whether a PE file is packed, obfuscated, or contains anti-analysis techniques
- Extracting indicators of compromise (hashes, URLs, IPs, registry keys) embedded in a binary
- Classifying a sample's capabilities based on its import table and section characteristics

**Do not use** for dynamic behavioral analysis requiring execution; use a sandbox (Cuckoo, ANY.RUN) for runtime behavior observation.

## Prerequisites

- PEStudio (free edition from https://www.winitor.com/) installed on an isolated analysis workstation
- Python 3.8+ with `pefile` library for scripted PE analysis (`pip install pefile`)
- CFF Explorer or PE-bear as supplementary PE analysis tools
- Access to VirusTotal API for hash lookups and community intelligence
- Isolated analysis VM with no network connectivity to production systems
- FLOSS (FireEye Labs Obfuscated String Solver) for extracting obfuscated strings

## Workflow

### Step 1: Compute File Hashes and Verify Sample Integrity

Generate cryptographic hashes for identification and intelligence lookup:

```bash
# Generate MD5, SHA-1, and SHA-256 hashes
md5sum suspect.exe
sha1sum suspect.exe
sha256sum suspect.exe

# Check hash against VirusTotal
curl -s -X GET "https://www.virustotal.com/api/v3/files/$(sha256sum suspect.exe | cut -d' ' -f1)" \
  -H "x-apikey: $VT_API_KEY" | jq '.data.attributes.last_analysis_stats'

# Get file type with magic bytes verification
file suspect.exe
```

### Step 2: Examine PE Headers and Section Table

Open the sample in PEStudio and inspect structural properties:

```
PEStudio Analysis Points:
━━━━━━━━━━━━━━━━━━━━━━━━━
File Header:       Compilation timestamp, target architecture (x86/x64)
Optional Header:   Entry point address, image base, subsystem (GUI/console)
Section Table:     Section names, virtual/raw sizes, entropy values
                   High entropy (>7.0) in .text/.rsrc suggests packing
Signatures:        Authenticode signature presence and validity
```

**Scripted PE Header Analysis with pefile:**
```python
import pefile
import hashlib
import math

pe = pefile.PE("suspect.exe")

# Compilation timestamp
import datetime
timestamp = pe.FILE_HEADER.TimeDateStamp
compile_time = datetime.datetime.utcfromtimestamp(timestamp)
print(f"Compile Time: {compile_time} UTC")

# Section analysis with entropy calculation
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    entropy = section.get_entropy()
    raw_size = section.SizeOfRawData
    virtual_size = section.Misc_VirtualSize
    ratio = virtual_size / raw_size if raw_size > 0 else 0
    print(f"Section: {name:8s} Entropy: {entropy:.2f} Raw: {raw_size:>10} Virtual: {virtual_size:>10} Ratio: {ratio:.2f}")
    if entropy > 7.0:
        print(f"  [!] HIGH ENTROPY - likely packed or encrypted")
    if ratio > 10:
        print(f"  [!] HIGH V/R RATIO - unpacking stub likely present")
```

### Step 3: Analyze Import Address Table (IAT)

Identify suspicious API imports that indicate malware capabilities:

```python
# Extract and categorize imports
suspicious_imports = {
    "Process Injection": ["VirtualAllocEx", "WriteProcessMemory", "CreateRemoteThread", "NtCreateThreadEx"],
    "Keylogging": ["GetAsyncKeyState", "SetWindowsHookExA", "GetKeyState"],
    "Persistence": ["RegSetValueExA", "CreateServiceA", "SchTasksCreate"],
    "Evasion": ["IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess"],
    "Network": ["InternetOpenA", "HttpSendRequestA", "URLDownloadToFileA", "WSAStartup"],
    "File Operations": ["CreateFileA", "WriteFile", "DeleteFileA", "MoveFileA"],
    "Crypto": ["CryptEncrypt", "CryptDecrypt", "CryptAcquireContextA"],
}

for entry in pe.DIRECTORY_ENTRY_IMPORT:
    dll_name = entry.dll.decode()
    for imp in entry.imports:
        if imp.name:
            func_name = imp.name.decode()
            for category, funcs in suspicious_imports.items():
                if func_name in funcs:
                    print(f"[!] {category}: {dll_name} -> {func_name}")
```

### Step 4: Extract and Analyze Strings

Use FLOSS for obfuscated strings and standard strings extraction:

```bash
# Standard strings extraction (ASCII and Unicode)
strings -a suspect.exe > strings_ascii.txt
strings -el suspect.exe > strings_unicode.txt

# FLOSS for decoded/deobfuscated strings
floss suspect.exe --output-json floss_output.json

# Search for network indicators in strings
grep -iE "(http|https|ftp)://" strings_ascii.txt
grep -iE "([0-9]{1,3}\.){3}[0-9]{1,3}" strings_ascii.txt
grep -iE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" strings_ascii.txt

# Search for registry keys
grep -i "HKLM\\|HKCU\\|SOFTWARE\\|CurrentVersion\\Run" strings_ascii.txt

# Search for file paths and extensions
grep -iE "\.(exe|dll|bat|ps1|vbs|tmp)" strings_ascii.txt
```

### Step 5: Inspect Resources and Embedded Data

Examine the PE resource section for embedded payloads or configuration:

```python
# Extract resources from PE file
if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
    for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
        if hasattr(resource_type, 'directory'):
            for resource_id in resource_type.directory.entries:
                if hasattr(resource_id, 'directory'):
                    for resource_lang in resource_id.directory.entries:
                        data = pe.get_data(resource_lang.data.struct.OffsetToData,
                                          resource_lang.data.struct.Size)
                        entropy = calculate_entropy(data)
                        print(f"Resource Type: {resource_type.id} Size: {len(data)} Entropy: {entropy:.2f}")
                        if entropy > 7.0:
                            print(f"  [!] High entropy resource - possible embedded payload")
                        # Check for PE signature in resource (embedded executable)
                        if data[:2] == b'MZ':
                            print(f"  [!] Embedded PE detected in resource")
                            with open(f"extracted_resource_{resource_type.id}.bin", "wb") as f:
                                f.write(data)
```

### Step 6: Check for Packing and Protection

Determine if the binary is packed or protected:

```bash
# Detect packer with Detect It Easy (DIE)
diec suspect.exe

# Check with PEiD signatures (command-line version)
python3 -c "
import pefile
pe = pefile.PE('suspect.exe')
# Check for common packer section names
packer_sections = {'.upx0': 'UPX', '.aspack': 'ASPack', '.adata': 'ASPack',
                   '.nsp0': 'NsPack', '.vmprotect': 'VMProtect', '.themida': 'Themida'}
for section in pe.sections:
    name = section.Name.decode().rstrip('\x00').lower()
    if name in packer_sections:
        print(f'[!] Packer detected: {packer_sections[name]} (section: {name})')

# Check import table size (very few imports suggest packing)
import_count = sum(len(entry.imports) for entry in pe.DIRECTORY_ENTRY_IMPORT)
if import_count < 10:
    print(f'[!] Only {import_count} imports - likely packed')
"
```

### Step 7: Generate Static Analysis Report

Compile all findings into a structured triage report:

```
Document the following for each analyzed sample:
- File identification (hashes, file type, size, compile timestamp)
- Packing/protection status and identified packer
- Suspicious imports categorized by capability
- Network indicators extracted from strings (IPs, domains, URLs)
- Embedded resources and their characteristics
- Overall threat assessment and recommended next steps (sandbox execution, YARA rule creation)
```

## Key Concepts

| Term | Definition |
|------|------------|
| **PE (Portable Executable)** | The file format for Windows executables (.exe, .dll, .sys) containing headers, sections, imports, and resources that define how the OS loads the binary |
| **Import Address Table (IAT)** | PE structure listing external DLL functions the executable calls at runtime; reveals program capabilities and intent |
| **Section Entropy** | Statistical measure of randomness in a PE section; values above 7.0 (out of 8.0) indicate compression, encryption, or packing |
| **FLOSS** | FireEye Labs Obfuscated String Solver; automatically extracts and decodes obfuscated strings that standard `strings` misses |
| **Packing** | Compression or encryption of a PE file's code section to hinder static analysis; requires runtime unpacking stub to execute |
| **PE Resources** | Data section within a PE file that can contain icons, dialogs, version info, or attacker-embedded payloads and configuration data |
| **Compilation Timestamp** | Timestamp in the PE header indicating when the binary was compiled; can be forged but often reveals development timeline |

## Tools & Systems

- **PEStudio**: Free Windows tool for static analysis of PE files providing indicators, imports, strings, and resource inspection in a single interface
- **pefile (Python)**: Python library for parsing and analyzing PE file structures programmatically for automated analysis pipelines
- **FLOSS**: FireEye tool that extracts obfuscated strings from malware using static analysis techniques including stack string decoding
- **Detect It Easy (DIE)**: Packer and compiler detection tool that identifies protectors, compilers, and linkers used to build PE files
- **CFF Explorer**: Advanced PE editor and viewer for detailed inspection of PE headers, sections, imports, and resource directories

## Common Scenarios

### Scenario: Triaging a Suspicious Email Attachment

**Context**: SOC receives an alert on a suspicious executable attached to a phishing email. The file needs rapid triage to determine if it is malicious before committing sandbox resources.

**Approach**:
1. Compute SHA-256 hash and query VirusTotal for existing detections and community comments
2. Open in PEStudio and check the indicators tab for red/yellow flagged items
3. Verify compile timestamp (future dates or dates from 1970 indicate timestamp manipulation)
4. Check imports for VirtualAllocEx, CreateRemoteThread (injection), URLDownloadToFileA (downloader)
5. Extract strings and search for C2 URLs, IP addresses, and file paths
6. Check resources for embedded PE files or high-entropy data blobs
7. Assess packing status; if packed, note the packer and plan for unpacking before deeper analysis

**Pitfalls**:
- Trusting the PE compile timestamp without corroborating evidence (timestamps are trivially forged)
- Concluding a file is benign because it has few suspicious imports (packed malware hides real imports)
- Missing Unicode strings by only running ASCII string extraction
- Not checking overlay data appended after the last PE section (common hiding spot for configuration data)

## Output Format

```
STATIC MALWARE ANALYSIS REPORT
=================================
Sample:           suspect.exe
MD5:              d41d8cd98f00b204e9800998ecf8427e
SHA-256:          e3b0c44298fc1c149afbf4c8996fb924...
File Size:        245,760 bytes
File Type:        PE32 executable (GUI) Intel 80386
Compile Time:     2025-09-14 08:23:15 UTC

PACKING STATUS
Packer Detected:  None (native binary)
Section Entropy:  .text=6.42 .rdata=4.89 .data=3.21 .rsrc=7.81
Note:             .rsrc section entropy elevated - check resources

SUSPICIOUS IMPORTS
[INJECTION]       kernel32.dll -> VirtualAllocEx
[INJECTION]       kernel32.dll -> WriteProcessMemory
[INJECTION]       kernel32.dll -> CreateRemoteThread
[EVASION]         kernel32.dll -> IsDebuggerPresent
[NETWORK]         wininet.dll  -> InternetOpenA
[NETWORK]         wininet.dll  -> HttpSendRequestA
[PERSISTENCE]     advapi32.dll -> RegSetValueExA

EXTRACTED INDICATORS
URLs:             hxxps://update.malicious[.]com/gate.php
IPs:              185.220.101[.]42, 91.215.85[.]17
Registry Keys:    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
File Paths:       C:\Users\Public\svchost.exe

EMBEDDED RESOURCES
Resource 101:     Size=98304 Entropy=7.89 [!] Embedded PE detected
Resource 102:     Size=4096  Entropy=2.14 (configuration XML)

ASSESSMENT
Threat Level:     HIGH
Classification:   Dropper with process injection capabilities
Recommended:      Execute in sandbox, extract embedded PE for separate analysis
```

Related Skills

variant-analysis

from plurigrid/asi

Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.

static-security-analyzer

from plurigrid/asi

Wrapper around Tizen Studio static analyzer. Detects memory leaks, buffer overflows, and coding vulnerabilities in C/C++/JavaScript.

reverse-engineering-rust-malware

from plurigrid/asi

Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis.

reverse-engineering-malware-with-ghidra

from plurigrid/asi

Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to understand internal logic, cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals.

reverse-engineering-dotnet-malware-with-dnspy

from plurigrid/asi

Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET obfuscation analysis.

reverse-engineering-android-malware-with-jadx

from plurigrid/asi

Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse engineering, mobile malware investigation, or Android threat analysis.

performing-yara-rule-development-for-detection

from plurigrid/asi

Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.

performing-wireless-security-assessment-with-kismet

from plurigrid/asi

Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.

performing-wireless-network-penetration-test

from plurigrid/asi

Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.

performing-windows-artifact-analysis-with-eric-zimmerman-tools

from plurigrid/asi

Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.

performing-wifi-password-cracking-with-aircrack

from plurigrid/asi

Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture.

performing-web-cache-poisoning-attack

from plurigrid/asi

Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.