Describe a basic malware static analysis approach, including packing, entropy, and YARA.

Static malware analysis examines the binary without executing it, looking for signs of obfuscation and indicators that can guide further investigation. A basic approach starts by inspecting the file structure and code layout to spot packing or protections, such as unusual section names, mismatched section sizes, or sections dominated by non-code data. Packing hides the real instructions behind compression or encryption, so spotting these signs is the first clue that the payload may be concealed. Entropy measurement helps confirm that clue. By calculating the entropy of sections, you can identify regions that are highly random or compressed, which is typical of packed or encrypted data. High entropy in large parts of the binary strongly suggests obfuscation, while lower entropy areas often correspond to normal code or readable strings. Reviewing imports and strings adds context about what the binary intends to do. The import table reveals the APIs the program intends to call, and extracted strings can expose domain names, file paths, registry keys, or command patterns that hint at its behavior or targets. YARA provides a practical way to codify what you find. You can create or apply rules that match known packer signatures, suspicious strings, API usage patterns, or other indicators of compromise. Running these rules against the binary helps classify the sample, identify potential families, and surface areas for deeper analysis. Putting these elements together gives a quick, safe snapshot of what the malware might do and how it hides its real code, guiding subsequent steps. Relying on execution would be dynamic analysis, which looks at behavior during run time, but static analysis focuses on what can be learned without running the sample. Decompiling alone can miss packed or encrypted content and non-code data, and ignoring packers would leave critical concealment untouched.