Malware Analysis Cheat Sheet

Updated 2026-04-30

Next Topic: MITRE ATT&CK Framework Cheat Sheet

Malware analysis is the systematic examination of malicious software to understand its behavior, purpose, and impact on compromised systems. Operating at the intersection of reverse engineering, forensics, and threat intelligence, it empowers security teams to detect, classify, and respond to cyber threats. This discipline combines static analysis (code inspection without execution), dynamic analysis (runtime behavior observation), and hybrid approaches that leverage both—while navigating an arms race where adversaries deploy sophisticated evasion, obfuscation, and anti-analysis techniques to avoid detection. One critical insight: malware rarely acts in isolation—understanding behavioral patterns, persistence mechanisms, and network indicators reveals not just what a sample does, but the broader campaign or actor behind it.

What This Cheat Sheet Covers

This topic spans 20 focused tables and 196 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Static Analysis TechniquesTable 2: Dynamic Analysis TechniquesTable 3: Malware TypesTable 4: Reverse Engineering ToolsTable 5: Dynamic Analysis ToolsTable 6: Sandbox and Automation PlatformsTable 7: PE File Structure ComponentsTable 8: YARA Rules for Malware DetectionTable 9: Behavioral Indicators and IOCsTable 10: Anti-Analysis and Evasion TechniquesTable 11: Network Traffic AnalysisTable 12: Memory Forensics ArtifactsTable 13: Code Injection and Process ManipulationTable 14: Unpacking and DeobfuscationTable 15: Malware Lab Setup and EnvironmentsTable 16: Threat Intelligence IntegrationTable 17: Reporting and DocumentationTable 18: Mobile Malware AnalysisTable 19: Signature-Based and Heuristic DetectionTable 20: Incident Response and Containment

Table 1: Static Analysis Techniques

Static analysis is the safe first look—everything you can learn from a sample without ever letting it run. From hashing and string extraction to entropy checks and PE header inspection, these techniques surface URLs, suspicious imports, and signs of packing fast, shaping how you approach the deeper analysis that follows.

Technique	Example	Description
File hashing	`certutil -hashfile malware.exe MD5` `sha256sum malware.bin`	• Generates cryptographic fingerprints (MD5, SHA-1, SHA-256) for unique malware identification and database lookups • easily defeated by trivial modifications
Fuzzy hashing	`ssdeep malware.exe` `ssdeep -m 95 sample1 sample2`	• Uses context-triggered piecewise hashing (CTPH) to detect similar but modified samples by comparing structural patterns • effective against polymorphic variants
Strings extraction	`strings -a -n 8 malware.exe` `strings -el malware.bin`	Extracts printable ASCII/Unicode text revealing embedded URLs, IP addresses, registry keys, and hardcoded commands.
File entropy analysis	`python -c "import math; ..."` PEStudio entropy score: 7.2	• Measures randomness in binary sections • high entropy (>7.0) indicates encryption or packing, low entropy suggests uncompressed code
PE header inspection	`dumpbin /headers malware.exe` PEview: check timestamps	Examines DOS header, NT headers, section tables, and import directories for compilation time, architecture (x86/x64), and suspicious discrepancies.
Import address table (IAT) analysis	`dumpbin /imports malware.exe` IDA Pro: View → Open subviews → Imports	• Lists Windows API functions the malware calls • reveals capabilities like network access (WinHTTP), file manipulation (CreateFile), or process injection (VirtualAllocEx).

Table 1: Static Analysis Techniques

Technique	Example	Description
File hashing	`certutil -hashfile malware.exe MD5` `sha256sum malware.bin`	• Generates cryptographic fingerprints (MD5, SHA-1, SHA-256) for unique malware identification and database lookups • easily defeated by trivial modifications
Fuzzy hashing	`ssdeep malware.exe` `ssdeep -m 95 sample1 sample2`	• Uses context-triggered piecewise hashing (CTPH) to detect similar but modified samples by comparing structural patterns • effective against polymorphic variants
Strings extraction	`strings -a -n 8 malware.exe` `strings -el malware.bin`	Extracts printable ASCII/Unicode text revealing embedded URLs, IP addresses, registry keys, and hardcoded commands.
File entropy analysis	`python -c "import math; ..."` PEStudio entropy score: 7.2	• Measures randomness in binary sections • high entropy (>7.0) indicates encryption or packing, low entropy suggests uncompressed code
PE header inspection	`dumpbin /headers malware.exe` PEview: check timestamps	Examines DOS header, NT headers, section tables, and import directories for compilation time, architecture (x86/x64), and suspicious discrepancies.
Import address table (IAT) analysis	`dumpbin /imports malware.exe` IDA Pro: View → Open subviews → Imports	• Lists Windows API functions the malware calls • reveals capabilities like network access (WinHTTP), file manipulation (CreateFile), or process injection (VirtualAllocEx).