Binary (PE) Analysis
Decoder parses Windows PE binaries to expose the structural signals a reviewer needs: sections, imports, exports, per-section entropy and known IoCs.
What it is
PE header and section parsing combined with entropy and IoC matching.
Why it's useful
Most static malware verdicts come from structure, not bytes. Surfacing imports and packed sections fast accelerates triage.
How Decoder implements it
Custom PE parser → section metadata + entropy → import table extraction → IoC and string matchers → normalised report.
When to use it
Untrusted executables, dropped artefacts, suspicious attachments.
When NOT to use it
Runtime behaviour analysis — that needs a sandbox.
Practical example
A dropper with a packed `.text` (entropy 7.85), Win32 imports (`VirtualAlloc`, `CreateProcessW`) and an encoded PowerShell stage embedded in `.rdata`.
FAQ
Glossary
- PE
- Portable Executable — the Windows binary format for .exe/.dll.
- Import table
- List of external functions a binary calls — often a strong behavioural hint.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Entropy is a statistical measure of how 'random' the bytes in a file look. In malware analysis, abnormally high entropy is a strong signal that a section is packed, encrypted or otherwise obfuscated.
ZIPs are the most common way to ship code and the most abused way to ship malware. Decoder ingests a ZIP server-side with hardened guards and exposes its content for review.
YARA is a rule language used by malware analysts to describe families and behaviours. Decoder applies YARA-style heuristics during malware scans.