Malware is now increasingly obfuscated in order to avoid detection. One way of doing this is by packing the payload with other information, or within a compressed file (for example, gzip). The malware can self-extract and reorganize immediately prior to use. The payload might also be encrypted, or a combination of encryption and packing could be employed. 

It can often be easier to identify malicious files from their behavior when run. An application programming interface (API) is the method by which applications interact (through the operating system) with the base hardware. An application (legitimate and otherwise) will typically run through API calls rather than interacting directly with the hardware. This allows the application to function on a greater range of hardware platforms.

Viewing API calls is, therefore, a method that can be used to characterize what the application or file actually does. There is a huge range of APIs that do similar things, but the overall sentiment of the API calls can help to indicate whether a file is malicious or not.

Examples of suspicious activity might include calls to IsNTAdmin, which could be used to check if the user has administrator privileges; MapVirtualKey, often used in keyloggers; WinExec, which can be used to execute another program; or SetFileTime, which can be used to modify the creation, access, or last modified time for a file, and conceal malicious activity on those files.

Again, these API calls have legitimate uses alongside their use in malware. Removing or denying the API call would impact on normal users' behavior; it is the combination of API calls in a malicious way that must be detected.