This document provides a detailed overview of the Static Malware Analysis project, summarizing its objectives, scope, and technical background as outlined in the original academic report.
The primary objective of this project was to develop a Python-based tool to automate the static analysis of suspicious files, such as executables (.exe), PDFs, and documents. The system is designed to perform a detailed analysis of a file's structure and contents without executing it, generating a comprehensive report to help determine if the file is malicious.
Malware infections pose a significant threat to both individuals and organizations. A successful infection can lead to data theft, file deletion, system compromise, and severe financial or reputational damage. Therefore, it is crucial to have methods for identifying these threats before they can cause harm. This project addresses that need by providing a safe, initial step in the analysis process.
The analysis script was designed with a clear scope to identify key indicators of malicious behavior. Its capabilities include:
- File Type Verification: Checking and verifying the true file type.
- String & Keyword Analysis: Extracting all strings and using regular expressions to search for known malicious signatures, IP addresses, URLs, or other keywords.
- System Interaction Analysis: Identifying strings that suggest the file may attempt to access or modify the Windows Registry or make suspicious system calls.
- Cryptography Detection: Checking for the presence of common cryptography algorithms, which could indicate data encryption or obfuscation techniques.
- Network Activity Detection: Searching for strings that indicate the file might try to establish unknown network connections.
The following diagrams illustrate the design and architecture of the system from different perspectives.
Below are screenshots demonstrating the tool in action, showing the input process and sample output from the analysis.
The system was validated against a set of core test cases to ensure its functionality:
| Test Case ID | Description | Expected Result | Status |
|---|---|---|---|
| MH01 | Analyze a known malicious file. | A report identifying malicious indicators is generated. | Pass |
| MH02 | Analyze a known non-malicious (benign) file. | A report showing no malicious indicators is generated. | Pass |
| MH03 | Provide a path to a non-existent file. | An error message: "File doesn’t exist." | Pass |
| MH04 | Run the script with no input file. | The program's help manual is displayed. | Pass |
While the project successfully met its objectives, there is significant potential for future enhancements:
- Machine Learning Integration: Implement a supervised machine learning model. By training the system on a dataset of malicious and benign files, it could learn to identify new malware signatures automatically.
- Malware Classification: Enhance the system to classify malware into families (e.g., ransomware, trojan, spyware) and provide a more detailed report on the specific harm it could cause.