One first step in conducting a static analysis is to determine if the potential malware under analysis has been previously identified. A single sample's hash can be uploaded to sites such as VirusTotal, but if a responder has acquired a number of files through their analysis, they will need to be able to determine if there are any that warrant further examination. One technique is to use a commercial anti-virus scanner to scan the directory. In this case, a free, open source tool that can be leveraged is ClamAV.

ClamAV is a command-line utility that allows responders to scan a directory with a variety of suspicious file formats. From here, suspicious files that are identified can be further analyzed by the responder. To get started with ClamAV, proceed as follows:

1. Navigate to the ClamAV downloads page at https://www.clamav.net/downloads.
2. Download the applicable OS version. (For this volume, the Windows executable available at https://www.clamav.net/downloads/production/ClamAV-0.102.1.exe will be utilized.)

3. Follow the directions for configuration and updating the signature file at https://www.clamav.net/documents/installing-clamav-on-windows.
4. Open a Command Prompt or Windows PowerShell terminal.
5. For example, several files from the site Malware Traffic Analysis will be reviewed. The files are available at https://www.malware-traffic-analysis.net/2019/09/04/index.html. In the terminal, type the following code:

PS C:Program FilesClamAV>.clamav.exe -m D:Malware Samples2019-09-04-malware-from-Ursnif-and-Trickbot-infection

6. This command executes the ClamAV scanner against all the files contained in the folder 2019-09-04-malware-from-Ursnif-and-Trickbot-Infection. Hit Enter, which produces the following results:

7. ClamAV has indicated that the .doc file is associated with the Doc.Malware.Sagent-7159046 malicious file signature.

The efficacy of ClamAV is largely dependent on the signatures that are included as part of the scanning package. There are some malware variants that may not have a corresponding signature available and, as a result, will go undetected. Understanding that, ClamAV is a useful way to examine a large number of potential malware files, and to identify those that are already known.