Topic 45

Static and Dynamic Analysis

Analysis

When a suspicious file lands, a defender needs to know what it does — without infecting the network to find out. Malware analysis has two modes: static (examine the file without running it — strings, hashes, structure, YARA rules) and dynamic (run it in an isolated sandbox and watch its behavior — files touched, processes spawned, network calls).

This topic teaches safe, practical triage analysis — enough to classify a file, extract indicators, and decide response, all inside the Meridian lab. The first rule frames everything that follows: do not infect yourself.

Safety First — the Isolated Lab

Analysis runs in a disposable, network-isolated virtual machine or sandbox with snapshots, never on a production or personal machine. The first rule of malware analysis is not infecting yourself or your network, and it frames every command in this topic: the file is assumed live and hostile, and the environment is built to contain it and be thrown away afterward.

Static Analysis

Static analysis examines the file without executing it: hashing it to check threat-intel reputation, extracting strings to find URLs, IPs, and commands, inspecting the file structure and imports, and matching YARA rules that describe malware families by content patterns. It sees all code paths and is completely safe, but packing and obfuscation (the next topic) can hide the intent until runtime.

Static triage of the intruder's implant — safe, no execution
# reputation: hash it and check threat intel
sha256sum implant.bin

# extract readable strings — URLs, IPs, commands often leak here
strings -n 8 implant.bin | grep -Ei 'http|\.onion|cmd|powershell'

# match against YARA rules that describe known families by content
yara meridian-rules.yar implant.bin

Hashing gives a reputation lookup, strings often leak the command-and-control domain, and a YARA match names the family — all without running the file. When static analysis is stonewalled by a packed binary with almost no readable strings, that absence is itself a signal, and the next step is dynamic analysis to unpack it at runtime.

Dynamic Analysis

Dynamic analysis detonates the sample in a sandbox and observes behavior: files created, persistence set (Chapter 8), processes spawned, and network connections attempted. Behavior reveals what static analysis obfuscates, which is why the two are complementary — static sees every path but can be hidden from, dynamic sees only the paths that execute but defeats obfuscation.

Extracting Indicators of Compromise

The goal of triage is IOCs — hashes, domains, IPs, file paths, registry keys — and the behavior, which feed detection (Chapter 10) and hunting. Analysis that ends without producing actionable indicators is incomplete: the point is to turn one analyzed sample into fleet-wide detection, so the same implant is caught everywhere it appears.

Static vs Dynamic Analysis

Static — examine without running; safe, fast, sees all code paths, but obfuscation and packing hide intent.

Dynamic — run and observe; reveals real behavior and defeats obfuscation, but shows only the paths that execute and can be evaded by sandbox-aware malware. Real triage uses both, plus threat-intel reputation.

Common Mistakes
  • Running suspicious files outside a properly isolated sandbox, risking real infection of the network or the analyst's machine.
  • Relying on static analysis alone against packed or obfuscated malware that hides its strings and structure until runtime.
  • Relying on dynamic analysis alone against sandbox-aware malware that stays dormant when it detects analysis.
  • Finishing analysis without extracting IOCs, so the effort does not improve detection or hunting.
  • Analyzing on a machine with network access to production, so a detonation escapes the lab.
Best Practices
  • Analyze only in an isolated, snapshotted sandbox with controlled or simulated network, never on production or personal systems.
  • Combine static (hash, strings, structure, YARA) and dynamic (sandbox behavior) analysis, plus threat-intel reputation lookups.
  • Author and share YARA rules to detect families across the fleet, turning one analysis into fleet-wide detection.
  • Always produce IOCs and behavioral signatures and feed them to detection (Chapter 10) and incident response (Chapter 11).
  • Treat a packed, string-less binary as suspicious in itself and move to dynamic analysis to unpack it.
Comparable toolsStatic strings · file · YARA · VirusTotalDynamic Cuckoo/CAPE sandbox · procmon · inetsimMemory Volatility — feeds Ch 10 detection

Knowledge Check

What is the first rule of hands-on malware analysis?

  • Work only in an isolated, disposable sandbox, never on a real machine
  • Always run the sample on a live production host to see its real behavior
  • Disable all system logging before you detonate the sample file
  • Only ever analyze files that antivirus has already flagged

Why are static and dynamic analysis complementary rather than redundant?

  • Static sees all paths but can be obfuscated; dynamic sees only run ones
  • Static analysis is always strictly more accurate than dynamic analysis is
  • Dynamic analysis never actually requires any isolation at all
  • Static analysis executes the file in order to read its strings

Why is producing IOCs the goal of triage analysis?

  • They turn one sample into fleet-wide detection coverage
  • IOCs let you legally prosecute the attacker behind the sample
  • IOCs directly remove the malware from the infected host
  • IOCs are only useful when the malware is a known family

You got correct