🔬 Malware-Sample-Analyzer

Static analysis tool for Windows PE malware samples.
Built for malware researchers, red teamers, and CTF players.

---

⚙️ Features

Feature	Details
📦 PE Header Parsing	Machine type, timestamp, entry point
📂 Section Analysis	Name, virtual size, raw size, characteristics, entropy
📥 Import Table	All imported DLLs and their functions
🔡 String Extraction	Printable ASCII strings (configurable length & count)
📊 Entropy Analysis	File-level + per-section entropy with risk labeling
💾 Report Export	Save full report to .txt file

---

🚀 Installation

git clone https://github.com/mazen91111/Malware-Sample-Analyzer-.git
cd Malware-Sample-Analyzer
pip install -r requirements.txt

---

🧪 Usage

# Basic analysis
python analyzer.py -f sample.exe

# Save report to file
python analyzer.py -f sample.exe -o report.txt

# Limit extracted strings
python analyzer.py -f sample.dll --max-strings 100

---

📸 Example Output

=================================================================
  MALWARE SAMPLE ANALYZER  |  2025-01-01 12:00 UTC
=================================================================
  File       : suspicious.exe
  Size       : 245,760 bytes
  Machine    : IMAGE_FILE_MACHINE_I386
  Timestamp  : 2022-06-15 08:32:11 UTC
  EntryPoint : 0x1000
  Entropy    : 7.81  →  HIGH ⚠ (likely packed/encrypted)

[ SECTIONS ]
-----------------------------------------------------------------
  .text        VA=0x1000  VSize=  98,304  RawSize=  98,304  Entropy=6.12  MEDIUM
  .data        VA=0x19000 VSize=   4,096  RawSize=   4,096  Entropy=3.44  LOW
  UPX0         VA=0x1a000 VSize= 131,072  RawSize=       0  Entropy=0.00  LOW
  UPX1         VA=0x3a000 VSize= 114,688  RawSize= 114,688  Entropy=7.96  HIGH ⚠

[ IMPORTS ]
-----------------------------------------------------------------
  KERNEL32.dll  (24 functions)
      ↳  VirtualAlloc
      ↳  LoadLibraryA
      ↳  GetProcAddress
      ...

---

🎯 Entropy Risk Levels

Range	Label	Meaning
≥ 7.2	🔴 HIGH	Likely packed, encrypted, or obfuscated
6.0 – 7.2	🟡 MEDIUM	Possible compression or obfuscation
< 6.0	🟢 LOW	Appears normal / unobfuscated

---

🛠️ Dependencies

• pefile — PE file parsing
• colorama — Terminal colors

---

👤 Author

Mazen Obed — @mazen91111
Malware Development | Red Team | Reverse Engineering

---

⚠️ Disclaimer

This tool is intended for educational and research purposes only.
Use only on samples you own or have explicit permission to analyze.
The author is not responsible for any misuse.

---

📄 License

MIT License — see LICENSE for details.