A malware report is only as useful as readers' ability to find in it what they need. This customizable template organizes the findings into a coherent structure, so a responder, a manager, or a fellow researcher can benefit from the analysis.

A Report Template for Malware Analysis - illustration

Malware analysis produces many insights about a sample, its capabilities, and detection opportunities. But communicating those details so others can act on them isn’t easy. The malware analysis report template helps with that. It gives analysts a structured way to present what they found, from defender-actionable findings to the supporting analysis behind them.

Download the Template

Download the template and make it your own. It’s available as Markdown and Word files.

You can also use my MCP server with your AI agent to generate or improve malware analysis reports using this template and my guidance. It’s designed to offer insights without receiving your sensitive data. To use it, add https://website-mcp.zeltser.com/mcp to your AI agent’s config.

If you’d rather build your own tooling around my guidance, you can also download my insights as a YAML file, which your AI tool can use in a way that fits your needs.

How the Report Is Organized

The report template organizes its content so readers can quickly find what they need. For authors, it offers placeholders and guidance to capture, explain, and share their findings. The template works for the analysis of a single file and a chain of related artifacts.

  • Executive Summary: A paragraph explaining what the sample is, how it gets in, and what it does.

  • Sample Snapshot: A quick-reference profile covering the malware family and confidence, key capabilities, target platform, the primary artifact, and the infection vector.

  • Malware Family Identification: A structured record of the family the sample belongs to, the basis for that call (such as a YARA rule, string overlap, or code reuse), and the confidence level.

  • Component Inventory: One row per file or artifact in the sample set, capturing role, file name, type, and notes, with a short flow description for multi-component samples.

  • Runtime Requirements: What the sample needs to run, including OS dependencies (DLLs, registry keys, runtime versions) and ecosystem dependencies (permissions, manifest declarations, marketplace identifiers, abused APIs, etc.).

  • Sources: Where the sample and supporting data came from, such as internal telemetry, OSINT, or partner sharing.

  • Capabilities: Observed behaviors mapped to the Malware Behavior Catalog, including anti-analysis behaviors.

  • Indicators of Compromise: Indicators in a structured table covering hashes, IP addresses, domain names, cloud resources, network artifacts, and host artifacts.

  • Analysis Details: The supporting evidence behind the key findings, with subsections for automated, static properties, behavioral, memory, and code analysis.

  • What We Don’t Know: What the analysis couldn’t resolve, couldn’t trigger, or couldn’t verify.

  • Infection Vector (Optional): How the sample reached the target, referencing MITRE ATT&CK Initial Access techniques where applicable, with the distribution URL or source path when known.

  • Detection Engineering (Optional): Detection logic that generalizes beyond the listed indicators, such as a YARA rule keyed to the family. Sigma and other SIEM or EDR rules are optional.

  • About this Report: The report metadata, including title, authorship, classification, follow-up contact, and a changelog.

  • Appendix: Analysis Environment: The environment used for the analysis, such as REMnux or FLARE VM, plus the sandbox configuration, etc., so other analysts can reproduce the work.

  • Appendix: Analysis Scripts (Optional): Links to any config extractors, deobfuscation scripts, or notebooks used, so others can reproduce the findings.

Frameworks Behind the Template

The template incorporates established frameworks where they fit:

  • The Malware Behavior Catalog is the practitioner-facing taxonomy for what malware does, and the Capabilities section maps the sample’s behaviors to it. MAEC is the machine-readable sibling specification.

  • MITRE ATT&CK names adversary techniques. The Infection Vector section references its Initial Access techniques, and the Capabilities section cites an ATT&CK technique in its Notes column when a behavior has no fitting MBC entry.

  • David Bianco’s Pyramid of Pain is a ranking of indicators by cost to the adversary. Hashes are trivial to change. Behavioral artifacts cost the adversary more.

  • ICD-203 defines the high, moderate, and low confidence levels the report uses to rate its malware family identification.

A malware analysis report describes the sample and its artifacts. Other templates help you respond to incidents involving the malware, investigate the threat actor, and understand the exposure:

  • Incident response report template: Use it when handling the incident that involves the malware sample.

  • Cyber threat intelligence report template: Use it when shifting from the sample to the actor or campaign behind it.

  • Vulnerability investigation brief template: (Coming soon) Use it when the sample arrived through a malicious dependency, such as a backdoored open-source package, or through an unpatched vulnerability.

Related Articles

REMnux v8: 15 Years of Building a Malware Analysis ToolkitUsing AI Agents to Analyze Malware on REMnux

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.