Donnie Celestre, ECE, M.Sc.

Research Note

Back to research

Malware Analysis Walkthroughs | Donnie Celestre

A practical note on how to document malware analysis in a way that is useful to incident response, detection engineering, and downstream technical review.

Topic

Malware Analysis

Published

March 6, 2026

Reading Time

7 min read

Core idea: a strong malware walkthrough is not just a reverse engineering diary. It should show how evidence was collected, what conclusions are well-supported, what remains uncertain, and what operational decisions should follow.

Why Walkthrough Quality Matters

Malware analysis often fails at the handoff point. A sample may be unpacked correctly, strings may be extracted, and behavior may be understood by the analyst who did the work, but the output still becomes hard to use for the rest of the team.

That usually happens when the walkthrough is missing one or more of these:

  • a clear statement of what the sample appears to do
  • evidence tied to specific conclusions
  • prioritization of what matters versus what is noise
  • a path from analysis findings into detections, triage logic, or response actions

The goal is not only to explain the malware. The goal is to produce an artifact that another analyst, an incident responder, or a detection engineer can act on without replaying the whole investigation from scratch.

A Practical Malware Analysis Flow

I prefer a repeatable workflow that starts with evidence discipline and ends with operational output.

flowchart LR intake["Sample Intake"] --> triage["Initial Triage"] triage --> static["Static Analysis"] static --> pivot["Reversing or Sandbox Pivots"] pivot --> conclusion["Behavioral Conclusion"] conclusion --> output["Detection and Response Output"]

Workflow chain: move from intake and triage into static analysis, use reversing or sandbox pivots only where they materially change understanding, then convert findings into defensive output.

1. Start With Triage, Not Assumptions

Before deeper analysis, establish the fast facts:

  • file type, hashes, size, compiler or packer hints
  • obvious strings, imports, sections, entropy, and embedded resources
  • whether the sample resembles commodity tooling, a loader stage, or something more targeted
  • whether the sample is urgent enough to require immediate containment-driven reporting before full analysis

This stage is not glamorous, but it prevents wasted effort and helps decide whether the sample needs sandboxing, static reversing, or both.

2. Separate Observable Behavior From Interpretation

Analysts often mix evidence and inference too early. I try to keep those apart.

Observable evidence includes:

  • process creation or injection behavior
  • filesystem, registry, network, or scheduled-task activity
  • decoded strings, configuration blocks, mutex names, or C2 patterns
  • anti-analysis checks, timing behavior, and environment gating

Interpretation comes after that:

  • likely objective of the sample
  • whether the sample is a loader, stealer, downloader, or persistence component
  • confidence level of the family or campaign attribution

That distinction makes the walkthrough more defensible when the sample is incomplete or partially evasive.

3. Document Pivots That Changed The Analysis

The most valuable walkthroughs do not list every step equally. They highlight the pivots that materially changed understanding.

Examples:

  • a decoded string table that revealed network intent
  • a configuration parser that exposed the real execution path
  • a sandbox run that proved persistence or credential access
  • a reversing pivot that showed a packed stage was mostly noise

Those moments are what other analysts learn from. They also make the report easier to scan under time pressure.

What The Final Walkthrough Should Deliver

At minimum, a useful malware analysis note should produce four outputs.

flowchart TD walkthrough["Malware Walkthrough"] --> summary["Behavioral Summary"] walkthrough --> evidence["Evidence Highlights"] walkthrough --> defensive["Defensive Follow-Through"] walkthrough --> questions["Open Questions"]

Behavioral Summary

A short paragraph that says what the sample appears to do, how confident that conclusion is, and what makes the behavior relevant.

Evidence Highlights

A compact set of the strongest artifacts:

  • notable strings or configuration items
  • important API or import usage
  • network destinations or protocol patterns
  • persistence, execution, or data collection behavior

Defensive Follow-Through

The walkthrough should produce something beyond explanation:

  • hunt pivots
  • detection opportunities
  • triage rules
  • sandbox or memory-analysis follow-up ideas
  • responder-facing cautions

Open Questions

Every serious analysis has uncertainty. If a stage is encrypted, gated, or environment-sensitive, say so directly. Clear uncertainty is more useful than false completeness.

Common Walkthrough Failure Modes

Too Much Raw Detail, Not Enough Signal

Dumping every string, every section, or every API call creates noise. The walkthrough should emphasize what changes the assessment.

Overstating Attribution

Family labels and actor guesses are easy places to overreach. Unless the evidence is strong, it is better to describe capability and behavior precisely than to force weak attribution.

Ending Before Operational Output

If the note ends with “interesting malware sample” but does not explain what defenders should now do, the analysis is incomplete.

A Better Standard

The best malware walkthroughs function as reusable investigation artifacts. They preserve evidence, explain reasoning, and create outputs that improve triage, detection, and response speed for the next incident.

That is the standard I aim for: not just understanding the sample, but converting that understanding into something another operator can immediately use.