Entropy in Malware Analysis
Entropy is a statistical measure of how 'random' the bytes in a file look. In malware analysis, abnormally high entropy is a strong signal that a section is packed, encrypted or otherwise obfuscated.
What it is
Shannon entropy: H = −Σ p(x) log₂ p(x). Range 0 (constant) to 8 (uniform random byte).
Why it's useful
Cheap, deterministic signal. Strong correlation with packing/encryption; useful to gate deeper analysis.
How Decoder implements it
Computed per PE section and per file in the static pipeline; values > 7.0 are surfaced with a rationale.
When to use it
Triage of PE/ELF binaries, suspect ZIP members, dropped artefacts.
When NOT to use it
As a sole verdict — high entropy ≠ malicious (compressed installers are also high-entropy). Always combine with other signals.
Practical example
LockBit dropper showed `.text` H ≈ 7.85 — combined with suspicious imports and an encoded PowerShell stage, it was a confident static verdict.
FAQ
Glossary
- Shannon entropy
- Information-theoretic measure of uncertainty in a distribution.
- Packing
- Compressing or encrypting an executable to hide its real payload until runtime.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Decoder parses Windows PE binaries to expose the structural signals a reviewer needs: sections, imports, exports, per-section entropy and known IoCs.
ZIPs are the most common way to ship code and the most abused way to ship malware. Decoder ingests a ZIP server-side with hardened guards and exposes its content for review.
PowerShell is the workhorse of Windows post-exploitation. Decoder reads `.ps1` files statically and surfaces the patterns attackers rely on: encoded commands, `Invoke-Expression`, download cradles, AMSI bypasses.
Obfuscation hides intent. Decoder flags suspicious entropy, base64 walls, eval chains, and packing markers so reviewers can focus on what's actually hidden.
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.