Overview
When malware lands in your environment, you need to understand what it does, how it got in, and what it is trying to accomplish. This playbook covers the full malware analysis workflow from safe collection through static analysis, dynamic sandbox execution, behavioral indicators, and YARA rule creation. It is designed for SOC analysts and incident responders who need to triage malware quickly and extract actionable intelligence.
Analysis Phases
- Collection: safely acquire the sample without executing it
- Static analysis: inspect the file without running it (hashes, strings, metadata, imports)
- Dynamic analysis: execute in a controlled sandbox and observe behavior
- Behavioral analysis: identify network connections, file modifications, registry changes, process activity
- IOC extraction: pull out indicators for detection and blocking
- YARA rule creation: write signatures to detect variants of the malware family
- Reporting: document findings and share with stakeholders
Static Analysis Checklist
| Check | Tool examples | What to look for |
|---|---|---|
| File hash (MD5, SHA256) | sha256sum, HashCalc | Cross-reference against VirusTotal, MalwareBazaar |
| File type validation | file command, TrID | Verify file extension matches actual type |
| String extraction | strings, FLOSS | URLs, IPs, registry keys, suspicious function names, encoded data |
| PE header analysis | PE-bear, CFF Explorer | Import table (suspicious APIs), compilation timestamp, packer indicators |
| Entropy analysis | Detect It Easy (DiE) | High entropy sections suggest packing or encryption |
| Macro analysis | olevba, oletools | VBA macros with auto-execution, shell calls, or obfuscated code |
Dynamic Sandbox Analysis
Execute the sample in an isolated sandbox environment that mimics your production network. Use commercial or open-source sandboxes like Any.Run, Joe Sandbox, or Cuckoo. Monitor network traffic for C2 communication, DNS queries to suspicious domains, and data exfiltration attempts. Observe process behavior: does the malware spawn child processes, inject into legitimate processes, or modify system files? Check for persistence mechanisms like scheduled tasks, registry run keys, and WMI event subscriptions. Record everything because some malware has delayed execution or environment checks that may prevent detonation on first run.
IOC Extraction and Sharing
- Extract and catalog all indicators: file hashes, C2 domains, C2 IPs, dropped file paths, registry modifications, mutexes, and user-agent strings
- Classify IOCs by confidence level: confirmed malicious, suspicious, or informational
- Feed high-confidence IOCs into your SIEM, EDR, and firewall blocklists
- Share IOCs with your ISAC or trusted sharing community using STIX/TAXII format
- Update your threat intelligence platform with the malware profile and associated campaign information
- Search your environment retroactively for any of the extracted IOCs to identify historical exposure
Creating YARA Rules
YARA rules allow you to detect malware variants that share common characteristics. After completing your analysis, identify unique strings, byte sequences, or structural patterns in the malware that are unlikely to appear in legitimate software. Write a YARA rule that combines multiple conditions to reduce false positives. Test the rule against a corpus of known-good files and known malware samples. Deploy validated rules to your endpoint and email scanning tools. Maintain a rule repository with version control so your detection library grows with each investigation.
Frequently Asked Questions
Is it safe to analyze malware on our corporate network?
Never analyze malware on a production system or corporate network. Use an isolated analysis environment with no connectivity to corporate resources. Virtual machines with snapshot capabilities, air-gapped workstations, or cloud-based sandboxes are all appropriate options.
What if the malware detects the sandbox and does not execute?
Many modern malware samples include anti-analysis techniques. Try a different sandbox, adjust the VM configuration to look more like a real workstation (user files, browser history, realistic hostname), or use manual debugging in a controlled environment.
How do we handle encrypted or packed malware?
Use unpacking tools like UPX for known packers. For custom packing, use a debugger to let the malware unpack itself in a controlled environment and dump the unpacked payload. High entropy in static analysis is a strong indicator of packing.
Should every SOC analyst know how to analyze malware?
All SOC analysts should know basic triage: hash lookups, sandbox submission, and IOC extraction. Deeper static and dynamic analysis is typically an L3 or specialized skill. Build the capability within the team and provide training opportunities.
How do we share malware analysis findings with the broader team?
Write a structured malware analysis report covering the sample metadata, behavior summary, IOCs, and recommended actions. Share it through your internal wiki or threat intelligence platform. For industry sharing, use anonymized IOCs through your ISAC.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.