Static analysis workflow
Triage → strings → PE analysis → YARA → network IOC extraction
Commands
file malware.exesha256sum malware.exe && md5sum malware.exesha256sum malware.exe | cut -d" " -f1 | xargs -I{} curl -s "https://virustotal.com/api/v3/files/{}" -H "x-apikey: $VT_KEY"exiftool malware.exe # compilation timestamp, linker version, original filenameLook for
- →File type mismatch (extension vs magic bytes)
- →Hash matches known malware families on VT
- →Compilation timestamp (0 or future = wiped)
- →Original filename in version info
- →Linker version (old linker = old sample or fake timestamp)
Never execute on analysis machine. Hash first, check VT before doing any work — known sample saves hours.