What are the differences between Static, Dynamic and Hybrid Malware Analysis?

What are the differences between Static, Dynamic and Hybrid Malware Analysis

In 2019, 114 million new malware applications were detected. 43 million new threats were already picked up in the first quarter of 2020 alone. Experts predict 2020 will see 120 million new malicious programs enter the global arena.

In total, that means over 677 million cyber pests were created over a 10-year period between 2010 and 2020. The sheer scale can only be likened to a global cyberwar.

The shortage of cybersecurity skills and talent is making this an uphill battle for businesses and existing security professionals. The best hope is constant improvement and optimization of malware analysis techniques.

What is malware analysis? Simply put, it’s a group of methods and techniques used to identify and detect malicious algorithms or programs by analyzing its contents and behaviors.

With the types of malware multiplying exponentially, the stakes are getting higher. To prevent attacks altogether, or mitigate the damage, detecting emerging threats as early, efficiently, and accurately as possible is key.

With that in mind, let’s look at some basic techniques that defenders have in their arsenal.


Our Digital Forensics Services specialize in getting to the bottom of every case with deep science and industry experience.


What is Static Malware Analysis?

Static malware analysis functions similarly to signature-based and statistical-based analysis. In fact, it usually incorporates functions of both techniques.

We have come to know that there are typical behaviors and statistical indications common to most malware. Using these forensic clues, a security expert or anti-virus software can analyze the program and decide whether it’s likely a malware.

The malware program also does not need to be run for it to be detected. By analyzing its opcode sequences and control flow graphs, we can determine whether it looks similar to known malware.

String extraction from the executable file is a common method of finding suspicious programming. Telltale signs are, finding and replacing files, connecting to external servers, packed executables to obfuscate them, loading certain libraries and functions, etc. Code can also be broken down into assembly language to peer deeper into its inner workings.


If you want to see how the report from malware analysis looks like, check out our analysis of the Snatch Ransomware.


What is Dynamic Malware Analysis?

As you might guess, during dynamic analysis the suspected program is actually run. However, this is done in a safe, sandbox (usually virtual) environment where it cannot affect your actual systems.

This allows us to see the potential malware in action and to deduce from its behavior whether it is indeed malware. It also allows malware analysts to get a better understanding by controlling the execution flow and observing how the sample interacts with the system, such as attempts at creating persistence or accessing sensitive data.

Dynamic analysis already improves on static analysis in several ways in terms of result delivery. It’s much harder to obfuscate or conceal run-time actions than static binary code. Any unexpected changes to the system are immediate signs of malicious software, meanwhile, the malware is just doing what it is supposed to do without the analyst having to dissect the internals.

However, sophisticated malware can even hide their run-time activities, to a degree. In rare cases, they can detect they are being run on a testing environment. In this case, suspicious actions will not execute until it determines it is running on a normal system. Some particularly nasty samples purposefully destroy the machine to try and spoil the analyst’s day.

What is Hybrid Malware Analysis?

Hybrid analysis combines techniques from both methodologies to cover each other’s shortcomings. Certain actions that can be hidden at run-time may be detected when unpacking the binary files or viewing them in assembly code. Similarly, obfuscated opcode may be revealed when it executes, and the actions or results are detected live.

Conclusion: Is There a Best Analysis Method?

Instinctively, one might think that a hybrid approach is the best because it covers more ground. However, especially in a business context, efficiency (accuracy vs. cost) is a very real concern as well. Furthermore, research suggests that different methodologies and combinations of methods are better at detecting certain threats.

Simply just sharpening up malware detection or analysis in your organization is not enough. It also must be tailored to the threats your organization faces and their severity. However, it is important to acquaint yourself with contemporary analysis practices today, so you can better adapt to the ever-changing future. Know what approaches to malware analysis there are, and you will be in a better position to start that process.



A Comparison of Static, Dynamic, and Hybrid Analysisfor Malware Detection