A good place to begin a static analysis of a single file is with PeStudio. Chapter 8, Analyzing System Memory, introduced this application when examining suspect malicious software obtained through the analysis of a memory image. In this case, an actual piece of malware will be analyzed, using PeStudio. This tool allows analysts to focus on specific attributes of the malware, for further analysis.

In this scenario, a live piece of malware will be examined. The malware sample is an Emotet infection with TrickBot. This sample was taken from https://www.malware-traffic-analysis.net/2019/09/18/index.html. Ensure that the proper preconfiguration is completed prior to downloading any malware, as any anti-virus program will quarantine the malware, making any analysis impossible. Once downloaded into a folder, the file is ready for analysis. Proceed as follows:

1. Open PeStudio. Click the folder icon in the upper left-hand corner, and navigate to the malware sample with the filename 2019-09-18-updated-Emotet-malware-binary.exe.
2. Once loaded, the following window will appear. In the pane to the left are several elements that PeStudio examines against the malware. Several of these elements (in red) indicate that the code is suspected of containing malware, as shown here:

3. Click on indicators first, to get an overview of the specific components of the malware that have been identified as malicious. PeStudio has identified three specific indicators—the file has 55/71 hits on VirusTotal, there are several blacklisted strings, and, finally, the file imports symbols that are blacklisted, as can be seen in the following screenshot:

4. Click on imports. From here, the analyst can see the imported library files that are blacklisted, as shown in the following screenshot:

5. Click on strings. This gives the analysts a clear understanding of the various strings within the malware that are suspect. From here, the analyst can focus on those strings when conducting a deeper analysis, as shown in the following screenshot:

PeStudio allows incident responders to get a 10,000-foot overview over suspected malware. Often, this may be enough for incident responders to work from, in terms of identifying other infections. In other incidents, it may be necessary to perform a deeper analysis. This is where other tools come into play.