If you find a program on your PC which you think might be malware, then checking it with an antivirus tool is a good first step -- but it’s not the only option. You could also try "static analysis", which involves examining the executable file itself to learn more about it. Most static analysis tools are aimed at developers and extremely complex, but the free PeStudio is an interesting exception: it offers plenty of low-level detail, but also has more straightforward features that just about anyone can use.
It’s easy to get started with the program. Just download and unzip it, launch PeStudio.exe, and drag and drop your suspect executable onto the PeStudio window. Wait a few seconds for the program to run its analysis, and a detailed report then appears.
The first tab, Indicators, gives you some useful information about the target application. Some of this is strictly experts-only, with details on the file’s use of DEP, ASLR, SafeSEH, Thread Local Storage, and so on. But you also get plenty of more generally useful data. Is it 32 or 64-bit, for instance? GUI, or console-based? Does it need administrative permission? Is it digitally signed?
Clicking the Strings tab will then reveal any embedded text strings in the program -- function names, paths, prompts, web addresses, error messages and more -- which can be a useful way to figure out what it’s doing. (Malware will usually employ various tricks to hide this kind of information, but it’s still worth a try.)
The Misc tab (if present) shows you any properties of your mystery executable. This might include file and product names, a description, version number, target language, and so on. Don’t assume any of this is true -- malware could provide any details it likes here -- but, again, it might help explain what the program is and where it’s come from.
And if none of this is too conclusive, then clicking Indicators > VirusTotal Scan Report will tell you whether any of the VirusTotal antivirus engines (46, as we write) thinks the executable is malware. Again, don’t take the VirusTotal verdict as guaranteed, it’s possible you’ve encountered something which hasn’t been recognized yet, but it’s still useful to see what the rest of the antivirus world thinks.
If you know your way around the executable file format then you’ll also appreciate the Libraries and Imports tabs, which reveal the DLLs and other support files required by your program, and the functions it’s using. The Resources tab is another plus, listing structures embedded within your program. While command line support means all this analysis can be automated and used to check a host of files in a single operation.
You don’t have to delve into these complexities unless you really want to, though -- and that’s the major plus here. There’s plenty of low-level information for experts, but all these technicalities don’t get in your way, and even if you’re a PC novice, you’ll still be able to use PeStudio to find out more about any mystery program.
Photo credit: megainarmy/Shutterstock