Static Analysis is an examination of the actual malware code without executing it on a system. For malware researches, the code may be obtained from systems that are left out to be deliberately infected or from production systems that have been impacted by the malware.

In this case, incident response analysts can obtain the actual source code or executable through a combination of memory analysis and acquiring the actual executable during an analysis of the hard drive. Static analysis is often comprised of several different techniques:

• Fingerprinting: One of the most basic techniques is obtaining a cryptographical hash of the code.These hashes can then be compared to other known hashes to determine if the code has been seen before.
• Anti-Virus Scanning: Anti-Virus vendors often do not catch every virus. For example, some vendors may have done an analysis of the code and deployed a signature for their own product. Other vendors may not have had access to the code or deployed their own signature. A good step is to use multiple different anti-virus vendors to scan a file.
• String Extraction: Malware coders will often include IP Addresses, error messages or other data encoded within the malware in clear text. Finding these strings may allow the analysts to identify a Command and Control (C2) server or other data that may indicate the purpose of the malware.
• File Format: With any executable, legitimate or not, there is metadata associated with it.Malware analysts can view the compilation time, functions, strings, menus and icons of Portable Executable format applications.
• Packer Analysis: To bypass Anti-Virus programs, malware coders make use of packers.These packers use compression or encryption so that they do not leave a tell-tale file hash.There are some tools available but, often, conducting a static analysis against packed malware is difficult.
• Disassembly: Reversing the code through the use of specialized software allows malware analysts to view the assembly code.From here, the analyst may be able to determine what actions the malware is attempting to perform.

When compared to Dynamic Analysis, Static Analysis may seem a bit more laborious. While there is a lot of searching and analysis done by hand, there are some advantages. First, it is safer to examine the code without having to execute it. This is especially true in organizations where a comprehensive sandbox solution is not in place. Also, it provides a more comprehensive analysis and better understanding of what the malware coder's intention might be.

There are several disadvantages to static analysis as well. This technique requires the malware code in its entirety for the best results. Another key disadvantage is the time necessary. With malware becoming increasingly more complex, the time required for a static analysis may be longer than an organization can afford.

This is even more an issue during an incident where the incident response team may be better off with an analysis that covers most of their issues now rather than having to wait for the most comprehensive analysis.