Test against a sample to see if it's a malware.
This is a toy tool so please don't use it for commercial purposes. It uses existing engines to scan a file or a string and tells you whether or not it's a virus. It's small and extensible.
There are currently two versions but I'm focused on the online version. My desktop version is retired for now. Useful for quick look up on what's already out there.
As this is mostly static analysis, you could automate this into your analysis workflow. Typical workflow work like this, in short:
triage -> static analysis -> dynamic analysis -> report
The way static malware analysis usually works is you analyze the malware without running it. Your first step is to try to find the signature of a binary file.
Most major OS have some way of calculating the cryptographic hash of a file. You can also write one too as I did for the desktop version.
Following that, you can reverse engineer the sample by loading the binary file into a decompiler or disassembler such as IDA Pro.
I recommend setting up an isolated lab. A poor man's working lab is a separate computer devoted to this task. It's more of an art than science. There are pre-existing tools you can use out there if you look it up. I recommend this setup because this was the setup I used:
update-remnux sudo apt-get update sudo apt-get upgrade sudo apt-get install virtualbox-guest-utils virtualbox-guest-x11 virtualbox-guest-dkms
sudo adduser remnux vboxsf
Other techniques include verifying the filetype, using public databases and exploring the PE (portable executable, largely a Windows object).
Using "Bombermania.exe" as an example, start by checking the filetype. On most *nix boxes, you could just do this:
This should yield:
Bombermania.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
You can also use Python's magic (
pip install --user python-magic) but there are some inconsistencies with the results.
If you are able to find a way to get the hash of the file as I have, putting it into the Malware Scanner should yield some stuff like this:
Additional detail includes when it was first submitted, creation date, etc. This one was (at the time of writing in 2017) created in 2005, first submitted in 2009.
You can dig into the PE. Often, you can determine whether or not the file is good based on the PE header alone. You can use PE-Header-Parser or Icon-Extractor.
Ultimately what you do depends on you or your organization's goal but your report should probably include the following at least: