performing-static-malware-analysis-with-pe-studio

# Performing Static Malware Analysis with PEStudio ## When to Use - A suspicious Windows executable has been collected and needs initial triage before sandbox execution - You need to identify imports, strings, and resources that reveal malware functionality without running the sample - Determining whether a PE file is packed, obfuscated, or contains anti-analysis techniques - Extracting indicators of compromise (hashes, URLs, IPs, registry keys) embedded in a binary - Classifying a sample's capabilities based on its import table and section characteristics **Do not use** for dynamic behavioral analysis requiring execution; use a sandbox (Cuckoo, ANY.RUN) for runtime behavior observation. ## Prerequisites - PEStudio (free edition from https://www.winitor.com/) installed on an isolated analysis workstation - Python 3.8+ with `pefile` library for scripted PE analysis (`pip install pefile`) - CFF Explorer or PE-bear as supplementary PE analysis tools - Access to VirusTotal API for hash lookups and community intelligence - Isolated analysis VM with no network connectivity to production systems - FLOSS (FireEye Labs Obfuscated String Solver) for extracting obfuscated strings ## Workflow ### Step 1: Compute File Hashes and Verify Sample Integrity Generate cryptographic hashes for identification and intelligence lookup: ```bash # Generate MD5, SHA-1, and SHA-256 hashes md5sum suspect.exe sha1sum suspect.exe sha256sum suspect.exe # Check hash against VirusTotal curl -s -X GE...