Malware Triage¶

Quick static analysis to determine if a file is malicious without executing it.

Scenario¶

A suspicious file has been discovered on an endpoint. Before sending it to a sandbox, you need to perform quick static analysis to understand what you're dealing with.

Step 1: Initial Identification¶

First, identify the file type:

bsot file identify suspicious.pdf

Sample Output

File: suspicious.pdf
  Size: 245,760 bytes
  MIME Type: application/x-executable
  Description: PE32 executable (GUI)
  Magic Bytes: 4D 5A
  Expected Extensions: .exe, .dll

  [HIGH] Extension Mismatch Detected!
    File has .pdf extension but is a Windows executable

Key finding: The file is actually a Windows executable disguised with a PDF extension.

Step 2: Calculate Hashes¶

Get file hashes for lookup:

bsot file hash suspicious.pdf --all

Sample Output

suspicious.pdf
  Size: 245,760 bytes
  MD5:    d41d8cd98f00b204e9800998ecf8427e
  SHA1:   da39a3ee5e6b4b0d3255bfef95601890afd80709
  SHA256: e3b0c44298fc1c149afbf4c8996fb924...
  SHA512: cf83e1357eefb8bdf1542850d66d80...

Step 3: Check Entropy¶

Analyze entropy to detect packing:

bsot file entropy suspicious.pdf

Sample Output

Entropy Analysis: suspicious.pdf
  File size: 245,760 bytes
  Entropy: 7.82/8.0
  Verdict: HIGH

  ⚠️  High entropy detected - file may be encrypted, packed, or obfuscated

Key finding: High entropy suggests the file is packed or encrypted.

Step 4: PE Analysis¶

Analyze the PE structure:

bsot malware pe suspicious.pdf --sections

Sample Output

══════════════════════════════════════════════════════════
  PE Analysis: suspicious.pdf
══════════════════════════════════════════════════════════

┌─────────────────────────────────────────────────────────┐
│ File Type:     PE32 executable                          │
│ Architecture:  x86 (32-bit)                             │
│ Subsystem:     Windows GUI                              │
│ Compiled:      2025-01-10 14:32:15                      │
│ Packer:        UPX 3.96 ⚠️                              │
│ Imphash:       a1b2c3d4e5f6...                          │
└─────────────────────────────────────────────────────────┘

── 📦 Sections (3) ───────────────────────────────────────
   Name       Entropy    Flags
   UPX0       0.00       RWX      ⚠️  Suspicious flags
   UPX1       7.89       RWX      ⚠️  High entropy
   UPX2       5.23       RW

── 📥 Suspicious Imports ─────────────────────────────────
   VirtualAlloc
   VirtualProtect
   CreateRemoteThread
   WriteProcessMemory

── ⚠️  Anomalies Detected ────────────────────────────────
   • UPX packer detected
   • Section UPX0 has RWX permissions
   • Suspicious imports indicate code injection capability

Key findings: - UPX packer detected - RWX section permissions (suspicious) - Code injection APIs imported

Step 5: Extract Strings¶

Look for interesting strings:

bsot malware strings suspicious.pdf --category urls,ips,registry

Sample Output

Found 156 interesting strings

── 🌐 URLs (3) ───────────────────────────────────────────
   http://evil.com/callback
   https://c2server.xyz/beacon
   http://pastebin.com/raw/abc123

── 🖥️  IP Addresses (2) ──────────────────────────────────
   192.168.1.100
   45.33.32.156

── 🔑 Registry Keys (1) ──────────────────────────────────
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Key findings: - C2 communication URLs - Persistence via registry Run key

Step 6: YARA Scan¶

Scan against YARA rules:

bsot malware yara suspicious.pdf

Sample Output

✅ Scanned against 247 rules

🚨 Matches (3)

   Rule: UPX_Packed
   Severity: medium
   Tags: packer

   Rule: Suspicious_API_Calls
   Severity: high
   Tags: malware, injection

   Rule: Generic_Ransomware_Strings
   Severity: critical
   Tags: ransomware, threat
   Description: Detects common ransomware strings

Step 7: Extract IOCs¶

Export all IOCs:

bsot malware ioc suspicious.pdf --format json -o iocs.json

Step 8: Check VirusTotal¶

Submit hash for lookup:

bsot malware submit suspicious.pdf --no-upload

Sample Output

🔍 Checking hash: e3b0c44298fc1c149...

── 📡 VirusTotal ─────────────────────────────────────────
   Status: MALICIOUS
   Detection: 45/70
   Family: Ransomware.Cerber
   Link: https://virustotal.com/gui/file/...

▌ OVERALL: MALICIOUS
   Detection: 45/70 engines

Summary¶

Check	Finding	Severity
Extension mismatch	EXE disguised as PDF	High
Entropy	7.82 (packed/encrypted)	Medium
Packer	UPX detected	Medium
Imports	Code injection APIs	High
Strings	C2 URLs, persistence	High
YARA	Ransomware match	Critical
VirusTotal	45/70 detections	Critical

Verdict¶

MALICIOUS — Known ransomware (Cerber family)

Recommended Actions¶

Quarantine the file immediately
Block extracted IOCs (IPs, domains)
Check for lateral spread
Investigate how the file arrived
Full sandbox analysis for detailed behavior

Quick Reference Commands¶

# Complete triage in one script
bsot file identify $FILE
bsot file hash $FILE --all
bsot file entropy $FILE
bsot malware pe $FILE --sections
bsot malware strings $FILE
bsot malware yara $FILE
bsot malware submit $FILE --no-upload