We begin our exploration of malware analysis with static analysis, which is usually the first step in studying malware. Static analysis describes the process of analyzing the code or structure of a program to determine its function. The program itself is not run at this time. In contrast, when performing dynamic analysis, the analyst actually runs the program, as you’ll learn in Chapter 3.
This chapter discusses multiple ways to extract useful information from executables. In this chapter, we’ll discuss the following techniques:
Using antivirus tools to confirm maliciousness
Using hashes to identify malware
Gleaning information from a file’s strings, functions, and headers
Each technique can provide different information, and the ones you use depend on your goals. Typically, you’ll use several techniques to gather as much information as possible.