# Static Properties Analysis > Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents. **FOR610 Labs:** 1.1, 2.1, 4.1 ## Steps ### Step 1: File Identification & Hashing **Tools:** [[tools/file|file]], [[tools/trid|trid]], [[tools/exiftool|exiftool]], [[tools/sha256sum|sha256sum]] Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps. ```bash file specimen.exe trid document.doc exiftool document.pdf ``` ### Step 2: Reputation Check **Tools:** [[tools/malwoverview|malwoverview]], [[tools/virustotal-search|virustotal-search]] Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis. ```bash malwoverview -v ``` ### Step 3: Packing & Entropy Check **Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]] Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow. ```bash diec specimen.exe peframe specimen.exe ``` ### Step 4: String Extraction **Tools:** [[tools/strings|strings]], [[tools/floss|floss]], [[tools/pestr|pestr]] Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names. ```bash strings binary.exe floss specimen.exe pestr specimen.exe ``` ### Step 5: Capability Detection **Tools:** [[tools/capa|capa]], [[tools/yara|yara]] Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities. ```bash capa specimen.exe yara-rules specimen.bin ``` ### Step 6: Import & Export Analysis **Tools:** [[tools/peframe|peframe]], [[tools/capa|capa]] Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality. ```bash peframe specimen.exe capa specimen.exe ``` ### Step 7: Disassembly (if needed) **Tools:** [[tools/ghidra|ghidra]], [[tools/cutter|cutter]], [[tools/radare2|radare2]] Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view. ```bash ghidra cutter specimen.exe r2 specimen.exe ``` ### Step 8: Document Findings Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis? #static #triage #pe-analysis #elf-analysis #workflow