============================================================
  Static Properties Analysis
============================================================

  Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents.

  Related FOR610 Labs: 1.1, 2.1, 4.1

────────────────────────────────────────────────────────────

  Step 1: File Identification & Hashing
  Tools: file, trid, exiftool, sha256sum
  Determine file type using magic bytes. Compute hashes
  (MD5, SHA256) for lookup and documentation. Record
  file size and timestamps.

    $ file specimen.exe
    $ trid document.doc
    $ exiftool document.pdf

  Step 2: Reputation Check
  Tools: malwoverview, virustotal-search
  Look up hash on VirusTotal/MalwareBazaar. If known
  malware, note family name and detection rate. If clean
  or unknown, continue analysis.

    $ malwoverview -v <hash>

  Step 3: Packing & Entropy Check
  Tools: diec, peframe
  Check for packing indicators and high entropy
  sections. Look for: unusual section names, small
  import table, high entropy (>7.0). If packed, consider
  the Unpacking Workflow.

    $ diec specimen.exe
    $ peframe specimen.exe

  Step 4: String Extraction
  Tools: strings, floss, pestr
  Extract readable strings. Use FLOSS for
  obfuscated/stack strings. Look for: URLs, IPs,
  domains, registry keys, file paths, error messages,
  API names.

    $ strings binary.exe
    $ floss specimen.exe
    $ pestr specimen.exe

  Step 5: Capability Detection
  Tools: capa, yara
  Identify capabilities mapped to MITRE ATT&CK. Scan
  with YARA rules for known malware families. Look for:
  persistence, C2, evasion, lateral movement
  capabilities.

    $ capa specimen.exe
    $ yara-rules specimen.bin

  Step 6: Import & Export Analysis
  Tools: peframe, capa
  Examine imported DLLs and functions. Map imports to
  behavior categories: networking (ws2_32), crypto
  (advapi32), process manipulation (kernel32). Check
  exports for DLL functionality.

    $ peframe specimen.exe
    $ capa specimen.exe

  Step 7: Disassembly (if needed)
  Tools: ghidra, cutter, radare2
  Load into disassembler for code-level analysis. Start
  at entry point, trace key functions. Use decompiler
  for C-like view.

    $ ghidra
    $ cutter specimen.exe
    $ r2 specimen.exe

  Step 8: Document Findings
  Record IOCs: hashes, IPs, domains, file paths,
  registry keys, mutexes. Classify: malware family,
  capabilities, confidence level. Decide: continue to
  behavioral analysis?

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
