TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Detection

What Is Malware Analysis? Static vs Dynamic Analysis Explained

Malware analysis is how defenders dissect malicious code to learn what it does, where it came from, and how to detect it. Here's static vs dynamic analysis, the four types, and the tools involved.

By TI News Feed Editorial Team9 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Malware analysis is the process of studying a piece of malware to understand how it works, what it does, where it came from, and how to detect and defend against it. When a suspicious file or sample is captured — from an incident, a phishing email, or a threat feed — analysts examine it to answer practical questions: What is its purpose? What systems does it affect? What indicators of compromise does it produce? Who might be behind it? The answers drive detection, response, and threat intelligence.

In short: malware analysis is digital forensics for malicious code. It's how a captured sample becomes the detection rules, indicators, and context that protect everyone else.

Why malware analysis matters

  • Detection. Analysis extracts the indicators and behaviors needed to write detections — from blocklists to YARA rules.
  • Incident response. Understanding what a sample does tells responders the scope of a compromise and how to eradicate it.
  • Threat intelligence. Analysis maps a sample's techniques to frameworks like MITRE ATT&CK and helps attribute it to known families or actors.
  • Prioritization. Knowing whether a sample is a generic nuisance or a targeted, capable threat shapes how urgently you respond.

Static vs dynamic analysis

The two foundational approaches differ in one key way: whether the malware is run.

Static analysis

Static analysis examines the malware without executing it. Analysts inspect the file itself — its strings, metadata, file headers, embedded resources, and hashes — to learn about it safely. Static analysis is fast and low-risk because the code never runs, but sophisticated malware uses obfuscation, packing, and encryption specifically to make static inspection difficult.

Dynamic analysis

Dynamic analysis runs the malware in a controlled, isolated environment and observes its behavior: what files it creates, what registry keys it changes, what processes it spawns, and what network connections it makes. This reveals what the malware actually does at runtime, cutting through obfuscation that defeats static analysis. The trade-off is that running malware is inherently riskier and must be tightly contained, and clever samples may detect the analysis environment and refuse to misbehave.

The two are complementary: static analysis gives a safe first read, dynamic analysis confirms real behavior, and serious investigations use both.

The four types of malware analysis

In practice, analysis is often described as four levels of increasing depth:

  1. Basic static analysis: quick, safe inspection of the file's properties, strings, and hashes without running it. Good for triage.
  2. Basic dynamic analysis: running the sample in a sandbox and watching its high-level behavior. Fast behavioral insight.
  3. Advanced static analysis (reverse engineering): disassembling the code and reading its instructions with a disassembler/decompiler to understand exactly what it does. Deep but skill-intensive.
  4. Advanced dynamic analysis: using a debugger to step through the malware's execution and manipulate it, uncovering logic that only triggers under specific conditions.

Analysts typically start shallow and go deeper only as needed — most triage stops at the basic levels, while reverse engineering is reserved for high-priority or novel samples.

The malware sandbox

A sandbox is an isolated, instrumented environment — usually a virtual machine cut off from production networks — where malware can be safely detonated and observed. Automated sandboxes are a workhorse of modern security operations: many EDR tools, email gateways, and threat intelligence platforms automatically detonate suspicious files and return a behavioral report. Because some malware tries to detect virtual machines and "play dead," analysts harden sandboxes to look like real systems.

What malware analysis produces

The real value of analysis is its output, which feeds directly back into defense:

  • Indicators of compromise — hashes, domains, IPs, file paths, and registry keys to detect and block, often improved through enrichment.
  • Detection rules — YARA rules for files and memory, and behavioral detections.
  • TTPs mapped to ATT&CK — the techniques the malware uses, expressed in a shared language.
  • Attribution clues — code reuse, infrastructure, and tooling that link the sample to known families or actors.
  • A clear report that responders and decision-makers can act on.

Common tools and safety

Analysts use disassemblers and decompilers, debuggers, sandboxes, network capture tools, and string/hash utilities, alongside multi-engine scanning services. The single most important rule is safety: malware should only ever be analyzed in an isolated lab environment that cannot reach production systems or the internet uncontrolled. Detonating a live sample on a normal machine risks the very infection you're trying to study.

Anti-analysis: how malware fights back

Malware authors know their creations will be analyzed, so they build in defenses specifically to slow analysts down. Recognizing these techniques is part of the craft:

  • Packing and obfuscation: compressing or encrypting the code so static analysis sees only scrambled data until it's unpacked.
  • Anti-VM / anti-sandbox checks: detecting telltale signs of a virtual machine or analysis environment and refusing to run, so dynamic analysis sees nothing malicious.
  • Anti-debugging: detecting an attached debugger and altering behavior or crashing to thwart advanced dynamic analysis.
  • Time delays and triggers: "sleeping" for a long time or only activating under specific conditions (a certain date, language setting, or user action) to outlast automated sandboxes.

This is a cat-and-mouse game: analysts harden their environments to look like real systems and patch out anti-analysis checks, while authors invent new evasions. It's also why combining static and dynamic methods matters — a technique that defeats one approach often leaves traces visible to the other.

How malware analysis powers threat intelligence

Malware analysis is one of the primary engines of threat intelligence. Every indicator in a feed, every YARA rule shared in a community, and every ATT&CK-mapped technique in a report ultimately traces back to someone analyzing a sample. It's also closely tied to threat hunting: the behaviors analysis uncovers become the hypotheses hunters test across their environment. In this way, dissecting one sample protects thousands of organizations that will never see it.

The bottom line

Malware analysis is the disciplined study of malicious code to learn what it does and how to stop it. Static analysis inspects a sample without running it; dynamic analysis runs it safely to observe real behavior; and the four levels — from basic triage to full reverse engineering — let analysts go as deep as a threat warrants. The output (indicators, YARA rules, ATT&CK-mapped TTPs, and attribution) is what turns a single captured sample into protection for everyone. To see the malware research and campaign reporting this work produces, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is malware analysis?

Malware analysis is the process of studying malicious software to understand how it works, what it does, where it came from, and how to detect and defend against it. Its output — indicators, detection rules, and mapped techniques — drives detection, incident response, and threat intelligence.

What is the difference between static and dynamic malware analysis?

Static analysis examines the malware without executing it — inspecting its file properties, strings, and code — which is fast and safe but can be defeated by obfuscation. Dynamic analysis runs the malware in an isolated environment to observe its real behavior, cutting through obfuscation but carrying more risk.

What are the four types of malware analysis?

Basic static analysis (inspecting the file without running it), basic dynamic analysis (running it in a sandbox to watch behavior), advanced static analysis (reverse engineering the disassembled code), and advanced dynamic analysis (using a debugger to step through execution).

What is a malware sandbox?

A sandbox is an isolated, instrumented environment — typically a virtual machine cut off from production networks — where malware can be safely detonated and observed. Many EDR tools, email gateways, and threat intelligence platforms use automated sandboxes to analyze suspicious files.

Why is malware analysis important for threat intelligence?

Nearly every indicator of compromise, YARA rule, and ATT&CK-mapped technique in a threat feed traces back to someone analyzing a malware sample. Analysis turns a single captured sample into detection rules and context that protect many organizations that will never encounter it directly.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

DetectionWhat Are YARA Rules? A Practical Guide to Malware DetectionAttacksWhat Is Malware? The Main Types ExplainedDetectionIndicators of Compromise (IOCs): The Complete GuideDetectionWhat Is Threat Hunting? A Practical Guide