Malware Triage

Systematic workflow for rapid malware assessment, classification, and prioritization for professional malware analysis and enterprise security operations.

When to Use This Skill

Use this skill when the user needs to:

• Perform initial assessment of malware samples
• Quickly classify and prioritize samples
• Identify key indicators without deep analysis
• Decide whether to proceed with full analysis
• Triage multiple samples efficiently
• Create initial findings summary
• Predict malware behaviors before dynamic analysis

Overview

Triage is the critical first phase of malware analysis that:

1. Quickly identifies key characteristics
2. Classifies malware type and threat level
3. Determines analysis priority
4. Predicts behaviors to guide deeper analysis
5. Extracts immediate IOCs

Goal: Make informed decisions about analysis approach within 5-30 minutes per sample.

Triage Workflow

Phase 1: Basic Information Gathering (5 minutes)

Calculate Hashes:

python scripts/hash_calculator.py sample.exe

Document:

• MD5, SHA1, SHA256
• Original filename
• File size
• File type (PE32/PE64/Script/Document)

Check Online Reputation:

• VirusTotal (virustotal.com)
• MalwareBazaar (bazaar.abuse.ch)
• Hybrid Analysis
• Any.Run

Record:

• Detection rate
• Known family name (if identified)
• Previous submission dates
• Community comments

Phase 2: Quick Static Analysis (10 minutes)

For PE Files:

1. Check packing/obfuscation

   • Use Detect It Easy (DIE) or PEiD
   • Check entropy (>7.0 = likely packed)
   • Document packer name if identified

2. Examine PE structure

   • Compilation timestamp
   • Section names and characteristics
   • Digital signature status
   • Entry point location
   • Overlay data presence

3. Review import table

   • See

     references/indicators.md

     for suspicious APIs
   • Note process injection functions
   • Note network functions
   • Note anti-analysis functions

4. Extract strings

   • URLs and IP addresses
   • File paths
   • Registry keys
   • Mutex names
   • Error messages
   • Email addresses

For Scripts (PowerShell, VBS, JavaScript):

1. Check obfuscation level
2. Look for Base64/hex encoding
3. Identify download/execute patterns
4. Extract URLs and IPs
5. Check for embedded payloads

For Office Documents:

1. Check for macros
2. Examine OLE streams
3. Look for external references
4. Check metadata
5. Identify exploit indicators

Packed Sample Handling

When a sample is packed or protected, static analysis yields limited results. Identify and document packing before proceeding.

Identify Packing:

• Entropy analysis — Overall entropy >7.0 or individual sections with entropy >6.8 strongly indicate packing or encryption
• Import table — Very few imports, or imports limited to

  LoadLibrary

  /

  GetProcAddress

  /

  VirtualAlloc

  /

  VirtualProtect

  (runtime loading pattern)
• Section names — Known packer section names:

  UPX0

  ,

  UPX1

  ,

  UPX2

  (UPX);

  .themida

  ,

  .winlicence

  (Themida/WinLicense);

  .vmp0

  ,

  .vmp1

  (VMProtect);

  .aspack

  (ASPack);

  .MPRESS1

  ,

  .MPRESS2

  (MPRESS)
• Section characteristics — Executable sections with no readable strings, or a single large section combining code and data
• PE anomalies — Entry point outside the first section, missing standard sections (

  .text

  ,

  .data

  ,

  .rsrc

  ), or unusually small code section

Common Packers and Indicators:

UPX0

UPX1

UPX!

upx -d sample.exe

.themida

.vmp0

.vmp1

.aspack

aSPack

.MPRESS1

.MPRESS2

.enigma1

.enigma2

What to Do When Packing is Detected:

1. Document packing in triage findings — Note the packer name (if identified), entropy values per section, and import count
2. Attempt UPX unpacking if applicable:

   upx -d packed_sample.exe -o unpacked_sample.exe
   # Verify unpacking succeeded
   python scripts/hash_calculator.py unpacked_sample.exe
   

3. Record both packed and unpacked hashes — The packed hash is the delivery artifact; the unpacked hash may match known malware families
4. Re-run static analysis on the unpacked sample — Import table and strings will be significantly richer
5. Flag for dynamic analysis — For non-UPX packers, the sample must unpack itself in a sandbox; document this as the recommended next step
6. Note sophistication level — Commercial protectors (Themida, VMProtect, Enigma) indicate higher-sophistication threats; custom packers indicate APT-level development

Tools for Packer Detection:

• Detect It Easy (DIE) — Primary tool; identifies 300+ packers and compilers by signature, shows per-section entropy
• PEiD — Signature-based packer detection (older but widely referenced signatures)
• pestudio — PE analysis with packer detection and entropy visualization
• ExeinfoPE — Additional packer signatures, useful when DIE is inconclusive

Triage Report Updates for Packed Samples:

• Set

  Packed: Yes - [Packer name or "Unknown packer"]

  in the File Information section
• Add entropy values per section under PE Analysis
• If unpacked: record unpacked SHA256 and note unpacking method
• Set Sophistication to at minimum Moderate for known packers, Advanced for commercial protectors, Advanced/APT for custom packers
• Add "Requires dynamic analysis for full static indicators" to Next Steps if not UPX-unpacked

Phase 3: Classification (5 minutes)

Determine Malware Type: Consult

references/indicators.md

Common types:

• Trojan/RAT - Remote access, C2 communication
• Ransomware - File encryption, ransom demands
• Infostealer - Credential theft, browser data
• Dropper/Loader - Delivers additional payloads
• Cryptominer - Cryptocurrency mining
• Backdoor - Persistent remote access
• Worm - Self-propagating

Assess Threat Level:

• Critical - Destructive, ransomware, APT
• High - Data theft, full system compromise
• Medium - Limited capabilities, targeted
• Low - Minimal impact, commodity malware

Evaluate Sophistication:

• Simple - Basic functionality, no obfuscation
• Moderate - Some protection, standard techniques
• Advanced - Heavy obfuscation, anti-analysis
• APT-level - Custom, targeted, advanced evasion

Phase 4: Behavior Prediction (5 minutes)

Based on static indicators, predict:

Process Activity:

• Will it create child processes?
• Process injection expected?
• Which processes targeted?

File System:

• Files likely to be created (paths)
• Files likely to be modified
• Files likely to be deleted

Registry:

• Persistence keys likely to be used
• Configuration storage locations
• System modifications expected

Network:

• C2 communication expected?
• Protocol (HTTP/HTTPS/Raw TCP/IRC/DNS)
• Beacon interval pattern
• Data exfiltration likely?

Persistence:

• Mechanism (Run key/Service/Task/Startup)
• Location and method

Phase 5: Priority and Decision (5 minutes)

Determine Priority:

Immediate (analyze now):

• Unknown samples unclear threat
• Active incident-related
• Destructive capabilities
• APT/targeted indicators
• Recent threat intel matches

Standard (normal queue):

• Known variant
• Commodity malware
• Clear signatures available
• Historical/research samples

Low (defer if needed):

• Clearly identified common malware
• Adware/PUP minimal impact
• Old/outdated samples
• Likely false positives

Analysis Decision:

Proceed with full analysis if:

• Unknown/new sample
• Need behavioral confirmation
• Creating signatures required
• Investigating specific functionality

Quick report if:

• Known malware with existing docs
• Time-constrained triage
• Clear identification from reputation check

Triage Report Template

Use this format to document findings:

## Malware Triage Report

**Sample:** [filename]
**Date:** [date]
**Analyst:** [name]

### File Information
- **MD5:** [hash]
- **SHA1:** [hash]
- **SHA256:** [hash]
- **Size:** [bytes]
- **Type:** [PE32/PE64/Script/etc]
- **Packed:** [Yes/No - Packer name]

### Online Reputation
- **VirusTotal:** [XX/YY detections - Link]
- **Known Family:** [Family name or Unknown]
- **First Seen:** [Date or Unknown]

### Static Indicators

**PE Analysis:**
- Compilation Date: [date]
- Digital Signature: [Valid/Invalid/None]
- Sections: [names and entropy]
- Entry Point: [location]

**Suspicious Imports:**
- [DLL]: [Function, Function, ...]
- [Key: Process injection, Network, Anti-analysis]

**Notable Strings:**
- URLs: [list]
- IPs: [list]
- Paths: [list]
- Registry: [list]
- Mutex: [name if found]

### Classification

**Type:** [Trojan/Ransomware/Infostealer/etc]
**Threat Level:** [Critical/High/Medium/Low]
**Sophistication:** [Simple/Moderate/Advanced/APT]

**Primary Capabilities:**
- [Capability 1]
- [Capability 2]
- [Capability 3]

### Predicted Behaviors

**Process Activity:**
- [Expected behavior]

**File System:**
- [Expected modifications]

**Registry:**
- [Expected changes]

**Network:**
- [Expected communication]

**Persistence:**
- [Expected mechanism]

### Initial IOCs

**File Indicators:**
- Hashes listed above
- [Additional file indicators]

**Network Indicators:**
- [IPs from strings]
- [Domains from strings]

**Host Indicators:**
- [Registry keys]
- [File paths]
- [Mutex names]

### Recommendation

**Priority:** [Immediate/Standard/Low]

**Next Steps:**
1. [Action 1 - e.g., Proceed with full dynamic analysis]
2. [Action 2 - e.g., Create YARA rule]
3. [Action 3 - e.g., Search network for IOCs]

**Analysis Approach:**
[Full analysis / Behavioral confirmation / Quick signature creation]

**Estimated Time:** [time estimate for full analysis]

Time Management

Professional Analysis Context

When analyzing multiple samples, efficient triage is critical:

Quick Triage (5 min/sample):

• Hashes + VirusTotal
• Basic file info
• Quick priority decision

Standard Triage (15 min/sample):

• Above + imports analysis
• String extraction
• Classification
• Behavior prediction

Comprehensive Triage (30 min/sample):

• Above + detailed documentation
• Initial IOC list
• Full prediction writeup
• YARA concept notes

Strategy:

• Quick triage ALL samples first
• Prioritize based on findings
• Comprehensive triage high-priority samples
• Defer or quick-report low-priority samples

Key References

Suspicious Indicators

See

references/indicators.md

• Suspicious API imports by category
• Common string patterns
• Behavioral indicators
• Packer signatures
• Red flags by file type
• Quick classification patterns

Detailed Checklist

See

references/triage_checklist.md

• Complete step-by-step checklist
• Decision tree guidance
• Dynamic analysis go/no-go criteria
• Common pitfalls to avoid
• Tools quick reference

Tools and Scripts

Hash Calculator

# Run from the malware-triage/ directory:
python scripts/hash_calculator.py <sample_path>

# Or from the repo root:
python malware-triage/scripts/hash_calculator.py <sample_path>

Quickly calculates all three hashes (MD5, SHA1, SHA256) for documentation.

Recommended External Tools

Static Analysis:

• Detect It Easy (DIE) - Packer detection
• PEStudio - PE analysis
• strings / FLOSS - String extraction
• HxD - Hex editor
• CFF Explorer - PE structure

Online Services:

• VirusTotal - Multi-engine scanning
• MalwareBazaar - Sample database
• Hybrid Analysis - Automated analysis
• Any.Run - Interactive sandbox

Best Practices

Do:

• Always calculate all three hashes immediately
• Check multiple reputation sources
• Document findings as you discover them
• Use checklists to ensure completeness
• Consider false positive possibilities
• Predict behaviors before dynamic analysis
• Prioritize samples logically

Don't:

• Skip basic file information
• Rely solely on VirusTotal results
• Assume packing means malicious
• Execute without proper isolation
• Trust timestamps (easily forged)
• Ignore negative findings
• Rush classification decisions

Efficiency Tips:

1. Have tools ready and scripts prepared
2. Use templates for documentation
3. Automate hash calculation
4. Keep a reference of common indicators
5. Build up a personal knowledge base
6. Take notes during, not after
7. Use multiple monitors if possible

Common Triage Scenarios

Scenario 1: Unknown Executable

1. Calculate hashes → not found online
2. Check packing → heavily packed
3. Review imports → suspicious injection/network APIs
4. Classification → likely trojan/RAT
5. Decision → Full analysis required

Scenario 2: Suspicious Document

1. Calculate hashes → 0 detections
2. Check macros → obfuscated VBA
3. Extract strings → download URLs found
4. Classification → dropper via macro
5. Decision → Dynamic analysis of macro behavior

Scenario 3: Known Malware Variant

1. Calculate hashes → 50+ detections, identified as Emotet
2. Review VirusTotal → well-documented
3. Quick checks → confirms expected indicators
4. Classification → confirmed Emotet variant
5. Decision → Quick report, no deep analysis needed

Integration with Full Analysis

Triage findings guide the full analysis:

Use predictions to:

• Know what to monitor during dynamic analysis
• Set up appropriate monitoring tools
• Focus on predicted areas first
• Validate or refute hypotheses

Triage report becomes:

• Introduction section of full report
• Hypothesis to test during analysis
• Quick reference during investigation
• Foundation for IOC development

Quality Checklist

Before concluding triage:

• All three hashes calculated and verified
• Online reputation checked (at least VirusTotal)
• File type and basic info documented
• Packing status determined
• Key imports identified
• Notable strings extracted
• Classification assigned with reasoning
• Threat level assessed
• Behaviors predicted
• Priority determined
• Next steps documented
• Initial IOCs listed
• Findings clearly documented

Example Usage

User request: "I have a suspicious .exe file, help me triage it"

Workflow:

1. Guide user to calculate hashes
2. Check online reputation together
3. Examine PE structure and imports
4. Extract and review strings
5. Classify based on indicators
6. Predict behaviors
7. Recommend next steps
8. Create triage report