Malware Analyst
ContributedStatic-only malware analysis: deobfuscate files, extract IOCs, and write variant-agnostic detection signatures.
Compatible Platforms
Integrations
Tags
A static-only malware analysis skill that deobfuscates suspicious files, explains what the code does, extracts indicators of compromise, and writes detection signatures — without ever executing the sample.
What it does
Given an obfuscated script, dropper, or suspicious file, the skill runs a structured six-phase workflow:
- Initial Triage — identify file type, target runtime, and surface-level obfuscation.
- Full Deobfuscation — peel back every layer (base64, hex, XOR,
eval/execwrappers,String.fromCharCodechains, array-rotation shufflers, custom ciphers), showing each layer. When a layer needs runtime to resolve, it writes a standalone static decryptor against the extracted ciphertext rather than running the malware. - Behavioral Analysis — plain-English execution flow plus a capability matrix (dropper, persistence, C2, exfiltration, lateral movement, defense evasion, anti-analysis).
- IOC Extraction — network, filesystem, behavioral, and cryptographic indicators, each tagged with a confidence level and fully resolved before reporting.
- Detection Signatures — text-based (grep/YARA/SIEM) and regex signatures written to catch variants by targeting the technique rather than the specific variable names or literals in the sample.
- Threat Summary — a concise, shareable report with category, sophistication, most-dangerous capability, and immediate containment actions.
How it works
The skill operates under a strict golden rule: static analysis only — never execute the file, not in a sandbox, not partially, not ever. It reasons about behavior by reading code, because running unknown malware can compromise the system, destroy evidence, or trigger anti-analysis behavior. Where a layer is encrypted with a key visible in the source, it generates a clean, standalone decryptor that implements only the cipher against the extracted ciphertext — never the malware itself — so every IOC is reported as a concrete, actionable value instead of an obfuscated placeholder.