Last Updated: 2021-08-15 21:35:25 UTC
by Didier Stevens (Version: 1)
I was asked for tips to triage MALWARE Bazaar's daily malware batches.
On Linux / macOS, you can unzip a malware batch and triage it with the file command.
On Windows, I don't like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.
What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:
The internal format I use is JSON, hence the -j and --jsoninput options.
Remark that this will not be fast: on yesterday's malware batch (170 MB), it took almost 10 minutes. It's more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.