What to Include in a Malware Analysis Report

A malware analysis report should cover identification details (hashes, AV names), specimen characteristics and dependencies, behavioral and code analysis findings, supporting figures, and indicators of compromise for detection. Using mind maps during analysis helps organize observations for the final report.

The following note summarizes my recommendations for what to include in the report that describes the results of the malware analysis process. A typical malware analysis report covers the following areas:

Summary of the analysis: Key takeaways should the reader get from the report regarding the specimen’s nature, origin, capabilities, and other relevant characteristics.
Identification: The type of the file, its name, size, hashes (such as SHA256 and imphash), malware names (if known), current anti-virus detection capabilities.
Characteristics: The specimen’s capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker, and so on. For a good reference of what characteristics you may need to capture take a look at the MAEC Malware Capabilities project or the alternative effort Malware Behavior Catalog (MBC).
Dependencies: Files and network resources related to the specimen’s functionality, such as supported OS versions and required initialization files, custom DLLs, executables, URLs, and scripts.
Behavioral and code analysis findings: Overview of the analyst’s behavioral, as well as static and dynamic code analysis observations.
Supporting figures: Logs, screenshots, string excerpts, function listings, and other exhibits that support the investigators analysis.
Incident recommendations: Indicators for detecting the specimen on other systems and networks (a.k.a. indicators of compromise or IOCs), and possible for eradication steps.

Malware analysis should be performed according to a repeatable process. To accomplish this, the analyst should save logs, take screenshots, and maintain notes during the examination. This data will allow the person to create an analysis report with sufficient detail that will allow a similarly-skilled analyst to arrive at equivalent results.

A convenient way of keeping track of your observations during the reverse-engineering process is to use a mind map, which organizes your notes, links, and screenshots on a single easy-to-see canvas. You can download my mind map template for such a report as an XMind file or a PDF file.

For Anuj Soni’s perspective on this topic, see his article How to Track Your Malware Analysis Findings. To learn more about malware analysis, take a look at the FOR610 course, which explains how to reverse-engineer malicious software.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →