Malware Analysis Basics Cheat Sheet
Introduces static and dynamic malware analysis techniques, common tools, and safe sandboxing practices for examining suspicious files.
2 PagesAdvancedFeb 5, 2026
Analysis Approaches
The two fundamental categories of malware analysis.
- Static analysis- Examine the file without executing it (strings, headers, hashes, disassembly)
- Dynamic analysis- Execute the sample in a controlled environment and observe its behavior
- Basic static- File hashing, string extraction, header inspection, no code execution or reversal
- Advanced static- Disassembly/decompilation to understand actual code logic
- Behavioral (dynamic)- Monitor file system, registry, network, and process activity during execution
Basic Static Triage Commands
Quick, safe first steps before deeper analysis.
bash
# Compute hashes to check against threat intel (VirusTotal, etc.)sha256sum suspicious.exemd5sum suspicious.exe# Identify file typefile suspicious.exe# Extract printable strings (look for URLs, IPs, commands)strings -n 8 suspicious.exe | less# Inspect PE headers (imports, sections)objdump -x suspicious.exe# Check for known-bad signatures with YARAyara rules.yar suspicious.exe
Common Malware Analysis Tools
Widely used tools by analysis category.
- Static/PE inspection- PEStudio, CFF Explorer, Detect It Easy (DiE)
- Disassembly/decompilation- Ghidra, IDA Pro, Binary Ninja
- Dynamic/sandbox- Cuckoo Sandbox, Any.Run, ProcMon + Process Explorer
- Network analysis- Wireshark, INetSim (fake internet services for isolated sandboxes)
- Signature matching- YARA rules for identifying known malware families
Safe Handling Practices
Precautions required before and during analysis of live malware.
- Isolated sandbox/VM- Never analyze live malware on a production or internet-connected host
- Snapshot before execution- Take a VM snapshot so the environment can be reverted after each run
- Disable/simulate network access- Use a fake internet (INetSim) to observe C2 attempts without real harm
- Handle as read-only- Keep original sample write-protected; work from copies
- No shared network shares- Prevent malware from spreading to host or other systems via shared folders
Pro Tip
Always check a sample's hash against VirusTotal and threat intel feeds before spending hours on manual reverse engineering — many samples are already-known commodity malware with published analysis reports.
Was this cheat sheet helpful?
Explore Topics
#MalwareAnalysisBasics#MalwareAnalysisBasicsCheatSheet#Cybersecurity#Advanced#AnalysisApproaches#BasicStaticTriageCommands#CommonMalwareAnalysisTools#SafeHandlingPractices#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance