Module 11: Malware Analysis Fundamentals
Understand what malware does — static, dynamic, and document-based.
You'll analyze the attacker's payload — PE structure, strings, and behavioral indicators.
Lessons & Labs
Static Analysis: PE Structure & Strings
PE file format, sections, headers, extracting strings, identifying suspicious indicators
Lab 11.1 — PE File Analysis
Analyze a suspicious executable: extract strings, examine PE headers, identify imports, and determine likely malware family.
Static Analysis: Hashing, Packing & Imports
File hashing, packer detection, import table analysis, identifying malicious API calls
Lab 11.2 — Packer Detection & Hash Analysis
Identify packed samples, calculate hashes, check VirusTotal, and use YARA rules to classify samples.
Dynamic Analysis: Process & File Monitoring
Process Monitor, Process Explorer, Autoruns — watching malware execute in a sandbox
Lab 11.3 — Behavioral Analysis
Monitor a malware sample's process, file, and registry activity. Document the complete behavioral profile.
Dynamic Analysis: Network & Registry Monitoring
Network activity capture, registry changes, DNS requests — building the behavioral profile
Lab 11.4 — Malware Network Analysis
Capture and analyze malware network traffic: identify C2 servers, DNS queries, and data exfiltration patterns.
Office Document & Macro Analysis
VBA macros, OLE objects, oletools (olevba, oleid), deobfuscation techniques
Lab 11.5 — Malicious Document Analysis
Analyze a suspicious Office document: extract VBA macros, deobfuscate code, identify payload delivery mechanism.
Reading Sandbox Reports & Putting It Together
Interpreting Any.Run, Hybrid Analysis, VirusTotal reports; building a complete malware analysis report
Lab 11.6 — Sandbox Report Analysis
Browser-only: Given sandbox reports from Any.Run and Hybrid Analysis, extract IOCs, map TTPs, and write a malware analysis summary.