You are currently viewing a new version of our website. To view the old version click .
MDPIMDPI
Search all articles
Journal of Cybersecurity and Privacy
Download PDF
  • Article
  • Open Access

10 November 2025

Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives

,
and
1
Research Institute “CAMPUS”, National University of Science and Technology POLITEHNICA Bucharest, RO-060042 Bucharest, Romania
2
Telecommunications Department, National University of Science and Technology POLITEHNICA Bucharest, RO-060042 Bucharest, Romania
3
The Electronic Devices, Circuits and Architectures Department, National University of Science and Technology POLITEHNICA Bucharest, RO-060042 Bucharest, Romania
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv.2025, 5(4), 98;https://doi.org/10.3390/jcp5040098
This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition
Version Notes
Order Reprints
Review Reports

Abstract

Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, file structure, embedded strings, and code signatures were examined, while in the dynamic analysis phase, the malware was executed in a virtual sandbox environment to observe process creation, network communication, and file system changes. By combining these two approaches, various types of malware files could be characterized and have their key elements revealed. This improved the understanding of the code capabilities and evasive behaviors of malicious files. The goal of these analyses was to create a database of malware profiling tools and tools that can be utilized to identify and analyze malware. The results demonstrate that integrating static and dynamic methodologies improves the accuracy of malware profiling and supports more effective threat detection and incident response strategies.

1. Introduction

Cybersecurity has become a critical research focus due to the increasing sophistication of modern cyber threats. From companies to individual users, everyone is as interested in this field, both because of the need to protect their own resources and because of the various news or various problems encountered with attacks in key areas that occupy the cyber environment. As highlighted by [], the evolution of IT security since the 1980s—from internal incident reporting to the formation of cross-organizational response teams—has played a central role in shaping current approaches to threat detection and cybersecurity management. In addition, according to [], despite advances in cybersecurity research, significant gaps remain in understanding an organization’s cybersecurity culture, particularly in terms of how it manifests itself in individuals’ daily behaviors and how these behaviors influence risk perceptions and drive cultural change. Given the growing global frequency of security breaches, the probability of system compromise has significantly increased across all user categories. Technological developments in information technology, along with the shift toward cloud-based infrastructures, have significantly increased the complexity of networks and, in turn, amplified the vulnerability of sensitive data for both independent users and organizations. On the other hand, attackers take advantage of this exposure and develop various types of attacks and various practices, both in the cloud and in the on-prem area. The advantages for them is precisely given by lightweight test environments that can simulate real resources (even in the cloud) and the proliferation of advanced training using publicly available data from negligent users, together with the capacity to investigate security breaches or vulnerabilities via online resources, even those intended for legitimate purposes, that have contributed to greater information exposure. According to several studies that can be found in [], traditional cyber situational awareness systems typically provide perception and understanding of cyber environments (by identifying, collecting, analyzing, and evaluating cybersecurity data from a given system). However, visualization and interaction technologies that interact with a given system constrain user understanding, especially when dealing with complex cybersecurity data, which can lead to data occlusion and a superficial understanding of concepts.
With this technological advance, security developers are no longer focusing on traditional methods (firewall, antivirus), developing the cloud part considerably more, due to the novelty, ease, and paradigm shifts that it brings. However, this aspect tends to become a great danger for ordinary users or for companies that adopt on-prem solutions because technological advances in this area tend to stagnate. At the same time, taking into account the advance of threats and their extended area of applicability, it is highly probable that attackers will continue to perfect their skills in the cloud area and to test them in the on-prem area. As observed in [], modern malware frequently employs environment-aware techniques, known as context-aware or sandbox-evasive behavior, to assess whether a system is suitable for attack. This allows it to circumvent sandbox-based analysis and focus on high-value targets, such as systems containing sensitive information or critical services. Therefore, it is extremely important and urgent to have cybersecurity solutions that are best adapted for a wide range of devices and capable of identifying malware or various network anomalies in the shortest possible time (ideally, in real time).
The current research focuses on identifying the effect that malware applications or various malicious software have on legitimate end devices. The subject addressed includes both applications from the area of companies or institutions and also from the perspective of an ordinary user. The impact of different types of malicious files on systems is systematically monitored to identify their key characteristics. As is mentioned in [], despite monitoring efforts, both our dataset and other real-world datasets contain an unknown number of undetected attacks, whether by automated systems or human analysts. These missed attacks can occur either as complete oversights or as instances where detection was delayed. These challenges are particularly concerning, as detection and documentation of one attack do not preclude the presence of other malicious files, which may be intentionally left by the attacker for leverage in future operations.
While numerous studies focus on either static or dynamic malware analysis, few explore an integrated, hybrid perspective that captures discriminative features across malware families. Furthermore, even fewer studies address these issues on real malware samples rather than pre-labeled databases. These gaps limit the development of unified detection frameworks capable of learning from both behavioral and structural indicators of real malware. This study aims to identify discriminative static and dynamic features that can inform the development of robust automatic anomaly detection systems in future work, while also providing a foundation for comparative analysis of malware behaviors across different families and operating systems. Specifically, it addresses the following research questions:
  • Which hybrid features (entropy, API calls, execution traces) most effectively differentiate malware types?
  • How do static and dynamic indicators correlate across categories?
  • How consistent are the static and dynamic characteristics across multiple samples within the same malware category?
This study addresses these gaps by systematically identifying key static and dynamic features of malware, conducting comparative analyses across malware families and operating systems, and evaluating these features in realistic environments. The findings provide actionable insights for designing robust automated detection systems that are better equipped to detect sophisticated, evasive malware, thereby advancing both the methodological and practical dimensions of cybersecurity research.
The remainder of this paper is organized as follows. Section 2 presents the related work conducted by various researchers. Section 3 outlines the methodology adopted in this study, with a detailed description of the dataset and the tools employed. Section 4 discusses the results and provides an in-depth analysis, while Section 5 offers a discussion of the findings. Finally, Section 6 concludes the paper and outlines directions for future work.

3. Methodology

Analyzing files to detect network intrusions is an important aspect of cybersecurity. In the current cybersecurity landscape, there are a multitude of solutions that can quickly and efficiently identify malicious behaviors. This research adopts a hybrid malware analysis framework that integrates both static and dynamic examination techniques to comprehensively characterize malware behavior.
The overall objective of the experimental design is to identify discriminative features that can contribute to the development of more robust automated anomaly detection systems. Secondary objectives include analyzing behavioral differences across malware categories and comparing behaviors across Windows and Linux operating systems.
The experimental design was structured to ensure both validity and reproducibility across multiple test iterations. The selection of malware samples followed a clear rationale: five representative samples from each major malware category (adware, backdoor, Trojan, malware, keylogger, spyware, RAT, and ransomware) were chosen from reputable open repositories, such as MalwareBazaar, to capture behavioral diversity within each class. This approach avoids bias toward a single malware family and ensures a broader, category-level understanding.
The analysis environment was implemented using Windows 10 Pro and Ubuntu 22.04 virtual machines, both running on VMWare with allocated hardware resources of 8 GB RAM cores per instance. Networking was configured through an isolated virtual switch to simulate real-world communication without exposing the host system, and tools such as PEStudio, RegShot, Wireshark, Process Monitor, and FakeNet were employed for feature extraction and behavioral observation.
These design choices collectively provide a controlled yet realistic testbed that supports reproducibility and enables consistent comparison across experiments.

3.1. Workflow Diagram

The experimental design was informed by the need to ensure reproducibility, transparency, and cross-platform applicability in malware research. The workflow encompasses malware sample acquisition, static feature extraction, dynamic behavior observation, and benchmarking.
By combining these complementary approaches, the study aims to bridge the analytical gap between static indicators and execution behaviors, providing a more complete understanding of how malware interacts with different operating environments.
To enable safe and systematic examination, a sandbox environment was established for analyzing the malicious files. Within this, several commercial and open-source tools were installed, and several analysis scenarios were tested. In this way, the most important aspects of malicious files were identified. The primary objective of the experimental environment was to identify effective methodologies for the comparative analysis of malicious files, with the ultimate goal of integrating the resulting features into an efficient database for future automated detection systems.
To ensure comprehensive testing and cross-platform validation, multiple virtual machines running different operating systems (Linux and Windows) were deployed on a dedicated server. This setup allowed for the execution of a wide range of experiments and the analysis of diverse categories of malware samples.
Consequently, the methodological approach adopted in this research integrates the major operational components outlined in Figure 1, which together define the workflow of the study. Each phase of the investigation, from the initial data preparation to the final evaluation, was carried out in accordance with the steps shown in the figure. This workflow was critical in maintaining a structured approach and ensuring that the analysis was conducted systematically and consistently across all stages.
Figure 1. Work scheme.

3.2. Dataset

The first stage of the methodological workflow involved the identification of relevant malware samples suitable for comparative evaluation. This step was carried out using the MalwareBazaar database [], which provides a curated collection of authentic malware binaries.
A subset of samples was selected and downloaded for analysis, representing diverse malware categories. Table 2 presents these samples along with their abbreviated identifiers, which are utilized throughout the paper for consistency, and their respective classification according to type.
Table 2. Malicious files analyzed in this paper.
A total of 40 malicious files were selected based on diversity within families—such as ransomware, Trojans, and backdoors—and operational compatibility with the target analysis environments (Windows and Linux). The selection criteria emphasized representativeness of the prevailing threat types and variation in obfuscation levels. All samples were obtained in accordance with ethical and legal research standards and were handled exclusively in a controlled and isolated environment to eliminate any risk of unintended propagation or system compromise. This approach guarantees both analytical rigor and responsible data management throughout the research process.
After downloading the malicious files, taking into account that they can infect the system files they are part of, the need to secure them was identified. Thus, although their download is performed through a password-protected archive, in some cases, they are identified by the system antiviruses and are immediately deleted from the operating system. Therefore, it was necessary to identify methods to download and keep these files safe.
The selected operational approach involved temporarily disabling the antivirus protection during the download process and subsequently re-archiving the obtained files with password protection to ensure controlled handling and integrity of the samples.

3.3. Malware Analysis Tools

In the experiments presented in this paper, the following solutions were analyzed both through feature integration and comparative assessment, providing a broader perspective on the behavior and key characteristics of the malicious files under study. In recalling the main functionalities of the solutions to be tested in the experiments, the following tools were considered:
  • Virustotal []: Solution that provides a detailed report on the file, using a global, online database for analysis.
  • File []: Provides a description of the file type, based on its signature.
  • Strings []: Allows the extraction of text strings from binary files.
  • Binary Ninja v5.0 []: Provides advanced tools for disassembly.
  • PEStudio v9.61 []: Allows the examination of PE (Portable Executable) files and their internal structures, such as sections and headers.
  • YARA v1.0.0 []: Allows the creation and manipulation of rules based on signatures to identify common malware behaviors and structures.
  • wxHexEditor v0.24 []: Allows the viewing and editing of files at the binary/hexadecimal level.
  • Censys or Shodan [,]: Online solutions for activity in the network area.
  • Process Monitor v4.01 []: A solution that allows real-time monitoring of system activities (open files, created processes, and modified registries) and, in experiments, has often been applied in the detection of viruses, Trojans, spyware or adware.
  • System Monitor v15.15 []: A tool that provides detailed information about system and network events, assisting in uncovering malicious activities and, in experiments, has often been used in worm detection.
  • Wireshark v4.4.4 []: A way to capture network packets, which facilitates the observation of network traffic generated by malware, including communication with command-and-control servers and, in experiments, has been utilized in the detection of most types of malware.
  • RegShot v2.1.0.17 []: A solution that offers the possibility of taking a snapshot of the registry before and after the malware runs, in order to observe any significant changes and, in the experiments, was utilized in the behavioral analysis of spyware or adware files.
  • Fakenet-NG 3.5 []: A tool for emulating a connection to an external environment, which allows the malware to act similarly to a real case where there is a connection to internet resources and, in the experiments, was often used to analyze the activity of ransomware.
In summary, these elements define the methodological basis upon which the experimental analysis was performed.
Having outlined the key tools, the analysis proceeded by evaluating the malware samples through both static and dynamic approaches. This parallel examination allowed for a comparative assessment of the methods, highlighting the unique strengths and complementary insights each provides. By integrating findings from both techniques, the study aimed to achieve a more comprehensive understanding of malware behavior and to identify discriminative features that could inform future automated detection systems.

3.4. Static Analysis

Static analysis focused on extracting intrinsic characteristics of files without executing the malware. Each malicious sample underwent preliminary analysis to identify the file type, architecture, and embedded metadata. Further analysis included entropy measurements to detect potential obfuscation or packaging, PE header inspection (for Windows executables), and API import extraction to infer possible malicious capabilities. In addition, string sequence analysis was used to identify readable commands and patterns indicative of known malware behaviors.
It was essential that the testing environment be capable of identifying which system resources were affected, which files are modified, and which network was used for communication with external servers. In order to achieve that, some steps were taken into account:
  • Analysis of the interactions of the malicious file with the file system and internal registries—During execution, it was important to observe which files are accessed or modified, which registry was utilized to store data and whether files were created or modified.
  • Network traffic analysis—Another key element was given by the way in which the file tries to establish connections to external servers (C2—Command & Control), with the aim of downloading commands or exfiltrating data. The general principle of this technique was to capture and evaluate the traffic generated, to identify unusual patterns, such as connections to unknown IP addresses, the deployment of unusual protocols or ports, or suspicious exchanges of encrypted data.
  • Memory analysis—Another key aspect in identifying malicious files was given by the modifications and manipulations of the system memory. The purpose of these operations was to hide malicious behavior and to implement evasion techniques.
    This method involved examining the contents of the RAM of an infected system while the malware was active. This approach allows access to running processes, data structures used, hidden or unshown areas in the system, and instructions executed in real time.
Considering all the aspects mentioned, in order to perform a comprehensive analysis, it was necessary to obtain some basic information about the file that may contain malware, such as the size, type, and source of the file. A key concept in this case is the magic number of a file. This is a special sequence of bytes, located at the beginning of a file, that clearly indicates the type or format of that file. This sequence was designed to assist operating systems and applications quickly and reliably recognize the nature of the content, without depending on the file extension, which can sometimes be changed. The magic number serves as a proxy for analyzing the full contents of a file to determine its format, thereby improving performance and reducing the risk of misinterpreting the data.
The next step was to extract important strings of the files in order to identify possible malicious signatures (e.g., IPs, URLs, commands, or encryption keys). One of the most important solutions for identifying malware features was through the YARA solution. This solution was utilized to create rules that can identify specific signatures or behaviors in the analyzed files, being implemented in the rapid detection of already known malware variants. Another critical aspect of the analysis concerned the communication mechanisms employed by the malicious files to interact with command-and-control (C2) servers and retrieve additional instructions. Therefore, it was crucial to identify these communication methods as promptly as possible to ensure effective isolation.
A large number of malware files that were downloaded were protected or “compressed” using special encryption techniques to prevent their analysis. Some of these types of encryption are achieved through simple methods (a logical operation), through symmetric (DES—Data Encryption Standard, AES—Advanced Encryption Standard) or asymmetric (RSA—Rivest–Shamir–Adleman cryptosystem) encryption algorithms, through compression combined with base64 encoding, through methods of hiding malicious code in seemingly legitimate files (photos, document files, etc.), or through password-protected archives.
To gain a more comprehensive understanding of the analyzed files, it was necessary to execute them within an isolated environment that closely simulated real system conditions. Accordingly, the execution of each malicious sample was monitored in detail to observe its functional behavior. Although such actions could have severe consequences in a production environment, all experiments conducted in this study were performed within a fully isolated setup equipped with simulated internet resources.

3.5. Dynamic Analysis

Conducting dynamic analysis on files with embedded intrusions was essential to observe and comprehend their operational behavior under controlled execution conditions. This analysis facilitated the identification of concealed activities, including communication with command-and-control servers, unauthorized modifications to files or registries, and the execution of hidden malicious processes. The steps required to perform this type of analysis were:
  • Configuring the test environment—The first step for dynamic analysis was to create a secure and isolated environment (completely independent of the functional infrastructure), where the execution of the malicious file can be carried out, without compromising other related systems.
    This test environment can be achieved both by effectively implementing a sandbox environment (automated platform for malware analysis), and by creating it in a virtual environment isolated from the remainder of the network infrastructure.
  • Monitoring the execution—The next essential step consisted of the actual execution of the malicious file, allowing for close monitoring of its behavior. It was crucial that the test environment be capable of providing relevant information regarding which system resources are affected, which files are modified, and which network characteristics were utilized for communication with external servers.
Analysis of computing resources—Another key aspect in identifying malicious files was given by the modifications and manipulations of the system’s memory and processes. The goal of these operations was to hide malicious behavior and utilize evasion techniques. This method involved examining the contents of the RAM of an infected system while the malware was still active. This methodology provides real-time access to active processes, the data structures in use, hidden or unexposed parts of the system, and the instructions being carried out.
To perform this type of analysis, it was necessary to establish a concrete way of working, which can lead to relevant results. To establish a reference point for analysis, RegShot was used to record an initial snapshot of both the file system and the registry before any malicious files were downloaded, ensuring that subsequent changes could be accurately monitored. Subsequently, the malicious files were downloaded, and the antivirus response was observed to determine whether the files were flagged as suspicious or allowed to execute undetected.
Another critical step involves executing the malicious file while monitoring tools such as FakeNet, Wireshark, Process Monitor, and System Monitor are active, capturing and recording its behavior in real time.
In order to prevent disruption of the test environment, the dynamic analysis performed was stopped after an interval of 5–10 min with a new snapshot of the data, registries, and memory resources after the infection, using RegShot, and by examining all modifications caused by the malicious file.

3.6. Experimental Setup and System Configuration

The test environment in which the analysis was conducted possesses the following characteristics:
  • Device Name: DESKTOP;
  • Processor: Intel(R) Core (TM) i5-8265U CPU—Central Processing Unit @ 1.60GHz 1.80 GHz;
  • RAM Memory: 16.0 GB (15.9 GB usable);
  • System Type: 64-bit operating system, x64-based processor;
  • Operating System: Windows.
The experimental setup involved configuring a virtual machine using Hyper-V, the built-in virtualization environment in Windows. The key characteristics of this virtual machine are:
  • Device Name: Tests
  • Processor: Intel(R) Core (TM) i5-8265U CPU—Central Processing Unit @ 1.60GHz 1.80 GHz
  • RAM Memory: 8.0 GB (7.9 GB usable)
  • System Type: 64-bit operating system, x64-based processor
  • Operating System: Windows and Ubuntu 22.04
Given that dynamic analysis entails running malicious files, a virtual machine configured with the specified characteristics was employed. Following the execution of each sample, the environment was reverted to a preconfigured secure snapshot, guaranteeing that each experiment was performed independently and that results were not influenced by prior analyses.

3.7. Experimental Metrics and Measurements

In the context of static and dynamic malware analysis, “Experimental Metrics and Measurements” can include any quantifiable indicators that facilitate the evaluation of malware behavior, system impact, or effectiveness of your analysis techniques.
  • Static Analysis Metrics
    • File characteristics: size, hashes (SHA256), file type, magic number.
    • Entropy values: measure of randomness in the file (can indicate packed or encrypted content).
    • Extracted features: imported/exported functions, API calls, strings, sections, headers.
    • Malware classification features: category, family, or known signatures.
  • Dynamic Analysis Metrics
    • Process behavior: new processes created.
    • File system activity: files created, deleted, or modified.
      • KA—Keys Added—A value indicating the number of new registry keys added and their detail, established between the two snapshots.
      • KD—Keys Deleted—A value indicating the number of deleted registry keys and their detail, established between the two snapshots.
      • VM—Values Modified—A value indicating the number of values present in the registries, which have been modified.
      • VA—Values Added—A value indicating the number of new values introduced into a registry or registry key.
      • VD—Values Deleted—A value indicating the number of values present in the registries, which have been deleted.
    • Registry modifications: keys added, modified, or deleted.
    • Network activity: C2 communications, open ports, DNS queries, IP connections.
    • System calls and API usage: invoked functions, sequence of operations.
    • Execution timing: duration of activity, intervals between actions.

4. Implementation and Results

This section describes the implementation of the experimental setup and presents the results obtained from the analysis of the selected malware samples. The implementation details cover the configuration of the virtual environment, monitoring tools, and procedures utilized for both static and dynamic analyses.
The results are organized to highlight the key characteristics and behaviors observed during the experiments. Static analysis reveals intrinsic file properties, such as file structure, entropy, and extracted features, while dynamic analysis captures runtime behavior, including system modifications, process activity, and network communications.
A comparative evaluation across both approaches provides a comprehensive understanding of the malware samples and supports insights for automated detection and classification.

4.1. Static Analysis

Examining the S1 file (Figure 2) reveals that, upon unzipping, it masquerades as a regular PDF document. This method allows the actual file to obscure its true nature, thereby deceiving the user and prompting them to execute it. If the file appeared only as a regular file and kept its SHA256 as its name, the user could become suspicious and could easily characterize it as unusual and potentially malicious.
Figure 2. Visual representation of the S1 malware file.
However, using the wxHexEditor solution (Figure 3), it is observed that the file has a magic number specific to the executable file area (4D 5A → EXE (Windows PE)). For the file to have been, indeed, a PDF, its magic number had to be of the form: 25 50 44 46. In this way, it is concluded that the examined file does not conform to the PDF format and is executable, an aspect that already raises suspicions.
Figure 3. File analysis in wxHexEditor.
Another important tool employed was PEStudio, and the corresponding results are summarized in Figure 4. The first parameter analyzed by this tool is the cryptographic hash of the file. This string of seemingly random characters is a unique identifier for the malicious file, which enables its identification in various malware databases. Based on this hash, through some commands, several similar files can be correlated, and malware families can be created.
Figure 4. Static analysis of the malicious file, via PEStudio.
The analysis performed using this solution identifies an entropy value of 7.86, which may suggest malicious content.
The entropy values of a file are as follows:
  • Low entropy ∈ [0–4) → which characterizes a text file or a file containing repetitive data.
  • Medium entropy ∈ [4–6.5) → which characterizes a regular executable file.
  • High entropy ∈ [6.5–8) → which characterizes an encrypted or compressed file.
In the analyzed example, the entropy of the PDF file should have a value in the range [4–7) because it can contain both text values and compressed image values. However, the value of 7.86 induces suspicions because it is almost equivalent to the maximum possible value, which clearly indicates encrypted content or hidden payload.
An additional important attribute provided at the solution level concerns the classification of the file type. Through this parameter, even if a file claims to have another format (in our case, the file appears to be of PDF type), its real characteristic becomes visible. It is mentioned that this parameter is one of the most implemented ones in automatic classification methods.
The Description field is particularly susceptible to falsification, since it defines how the file appears to the user and can be crafted to prompt the user into executing the malicious program.
The last parameter, Original-File-Name, denotes the true name assigned to the file. When the Description field indicates one file type while the Original-File-Name corresponds to a different type, this discrepancy serves as a clear indicator of potentially malicious behavior. The complete analysis, within this stage, for all files considered in Table 2, can be found in Table 3.
Table 3. Initial information collection.
Another important step is to extract key information from the file. These include details about various IPs, URLs, or other types of known strings. One of the most important solutions that can be used for this purpose is VirusTotal. Preliminary conclusions can be drawn from static analysis experiments based on the information provided by this tool.
The first important aspect is the fact that VirusTotal indicates whether the searched file (based on SHA256, most of the time) has been analyzed previously and whether, following these analyses, it was declared malicious or not. This fact leads to a huge saving of time and resources, because the tool is online, free, and accessible from most devices connected to the internet. In the case of the analyzed example, from Figure 5, the file is considered malicious by 54 security solution providers out of 72 possible. However, this information is not the only one provided by VirusTotal.
Figure 5. Representation of the domains and IPs that the S1 file is trying to access, from VirusTotal.
Another important category is information on digital signatures and different types of library imports or exports that the file (declared to be malicious or not) may have. The area of exports or imports is important because it can lead to conclusions about the functioning of the malicious file. Therefore, in this way, various additional functions or even hidden functionalities (such as file placement) can be identified. In addition, extremely important at this stage is the analysis of the network area, which can indicate key aspects of the file. Through it, it can be identified whether a malicious file is trying to communicate with the external environment and exfiltrate data or upload various commands, through external command and control servers. This representation can be easily identified through VirusTotal, an aspect also indicated in Figure 5.
Other essential solutions in the experiments carried out in this work were the Censys and Shodan search engines. Through them, the characteristics of the file in the network area were analyzed in order to identify key aspects given by its links, which were also corroborated with the information provided by VirusTotal. The analysis from VirusTotal is extended using Censys and Shodan to include additional key information, such as services, open ports, and digital certificates.
Considering the aspects visualized in Figure 5, the presence of a domain and several different IPs with which the malicious file tries to communicate is observed. In order to identify whether this file is indeed malicious, it is imperative to identify some details regarding these connections. Thus, from Censys it is identified that the first IP analyzed indicates the presence of an HTTP service whose page is not available and a location in the state of Washington.
Using the same testing methods, a similar analysis was performed on the myrayban.ddns.net domain and on the IP, identified by VirusTotal as potentially malicious, 45.66.230.90. However, this time, the results provided by the two search engines were incomplete, considering that the information sought did not exist. Consequently, reliance only on Censys and Shodan would lead to the conclusion that the file is legitimate, underscoring the limitations of those sources in isolation.
Nevertheless, uncertainties persisted concerning the third IP address, prompting a renewed investigation through VirusTotal and Censys. Accordingly, the investigation of this IP address was conducted using the platform that had initially flagged it as malicious. The results demonstrate that only two out of ninety-four security providers classified it as malware. In such cases, where detection rates are minimal, these alerts are expected to represent false positives generated by certain security engines.
The next step was to search for this IP on the ping.eu website. Following this search, the IP considered suspicious was identified as belonging to the class of IPs assigned to DE-CENTHOST (Figure 6). Following a search in the public resources area, it was identified that centHost is an online Web hosting service provider that offers domains or IPs on a temporary lease basis. Therefore, with a high degree of certainty, the services declared malicious were performed using, for a limited period, one of the datacenter IPs of this provider, after which the service was closed.
Figure 6. Analysis of the malicious IP, using the ping.eu solution.
Another important aspect to mention in the static analysis would be the fact that, considering various signatures, the analyzed file can be classified into various malware families. This aspect cannot be indicated only through VirusTotal.
However, if other analyses of the file are included (with related solutions, as presented in the example in this section), useful conclusions can be drawn on its malicious nature or even code fragments similar to other files, an imperative aspect necessary for the implementation of analysis methods that include aspects from the machine learning range.
In the example considered, the essential steps of a static analysis at the network level were followed, in order to identify as comprehensive a range of details and aspects related to the initial information as possible. Thus, a search of the VirusTotal database of the file hash was performed. The information found led to network aspects that required additional clarification.
After analyzing several IPs, it was found that one of them, which was considered malicious by the VirusTotal database, is an IP from the public datacenter area associated with an online service provider. Given that this provider offers temporary rental services of public IPs, it was found that the potential attacker used these resources to create various attacks and even the basis for the malicious PDF file, from which the investigation had commenced.
The analysis performed on all other files was carried out in a similar way, in order to have clearer conclusions on the files and the influences they may have within a communications system. The results of it can be found in Table 4.
Table 4. Collecting information from malicious files using various analysis solutions.
Another important feature that should be analyzed consists of imported libraries. This aspect provides clues about the general functionality of a malicious file. Examples of imported libraries, within the chosen example, include wsock32.dll, URLMON.DLL, netapi32.dll, WS2_32.DLL, and SHFolder.dll. These indicate various network level connections, communications with command-and-control servers, or file placement and information exfiltration.
Therefore, the expectations based on the analysis are that files that have network activity should indicate functions such as connect or send, those that request access to files or want data exfiltration should include functions such as CreateFile, those that open various additional connections should include functions such as ShellExecute, and those that need to work with RAM memory (for code injections) should include functions such as VirtualAlloc. The data from this analysis can be found also in Table 4.

4.2. Preliminary Insights of Static Analysis Data

Taking into account the data from Table 2 and Table 3, if the first category of files, adware files, is considered, it can be concluded that, although they have different operating characteristics, they also have common aspects. In the analyzed examples, four out of five files exhibited suspicious code sections and evidence of file and memory manipulation, along with the creation or modification of system processes. This behavior is somewhat unexpected, given that the primary function of adware is typically to display advertisements. However, beyond its apparent simplicity, adware interacts with the file system to maintain persistence and perform updates, requiring memory access for executing additional code injections. A less common part of the behavior of these files is the fact that the activity in the network area, which would involve collecting user data and transmitting system information, is present in only one of the cases. This aspect is encountered especially if the execution is carried out locally, without the need for internet access, or to avoid detection by antivirus software.
For files classified under the backdoor category, the observed activity provides minimal data of analytical value or usefulness for comparative assessment. This aspect is given by the fact that backdoor files are usually encrypted shells that are activated only by execution. Within the backdoor category, the recorded file activity reveals only minimal information relevant to analytical assessment or cross-sample comparison.
Other categories that do not denote the overall effectiveness of static analysis are keyloggers and RAT (Remote Access Trojan) because they implement encryption techniques and functions that seem legitimate in order to hide their true malicious intentions. Therefore, during the static analysis, these files failed to indicate much information through which their underlying characteristics can be recognized and classified, even at the level of antivirus programs, as legitimate files.
For files containing malware, the static analysis performed on files M1-M5 indicates information about suspicious sections or interacting with system memory, but, most of the time, their real character is also hidden because they do not employ explicit functions to define their behavior; instead, they rely on legitimate functions or sets of legitimate functions (which have the same result). Similarly, as with the backdoor category, they may have inactive functions, which reveal their true behavior only during execution.
For the ransomware part, the static analysis performed is relevant in determining the real behavior of the malicious sample because all the analyzed files involve the creation of additional processes in system memory. In addition, most of the samples utilized in the analysis expressed behaviors related to file or memory resource modifications and the presence of APIs for encrypting accumulated information. Based on this information, the true nature of a file of this type can be determined because the main function of a ransomware malware is to encrypt the identified information with its own key. To enable their later decryption, the attacker provides an email address and the need to provide a sum of money by the victim.
The analyzed spyware files have common behaviors related to suspicious sections, working with files, creating processes, and modifying the registry. The reasons behind these characteristics lie in the fact that this type of software wants to remain undetected and to avoid writing information to memory, which ensures undetected exfiltration of information. Thus, after execution, the file communicates directly with an external command and control server, to which it provides key information, without being detected by antivirus programs.
From the last category, Trojan-type files often create new processes and affect the work with files. They also have high entropies in sections or unusual behaviors related to them. In fact, these are the most typical operations performed by this type of file. An important characteristic of this type of file is that, for instance, when selected in this category, the antivirus identified all samples as malicious files.
Although static analysis was able to provide certain key characteristics on the malicious nature of the analyzed files, for a clearer conclusion on their real behavior, it is furthermore necessary to involve dynamic analysis, which will outline the possibility of evaluating these types of files as accurately as possible.

4.3. Dynamic Analysis

This section presents the results of the dynamic analysis performed on the dataset. Contrary to static analysis, which examines files without execution, dynamic analysis involves monitoring and evaluating the behavior of files in a controlled runtime environment.
This approach allows for the observation of real-time interactions, system modifications, and potential malicious activity that may not be detectable through static methods. The following subsections provide a detailed breakdown of the findings, highlighting key behaviors, anomalies, and any potential security threats identified during execution.
During the dynamic analysis phase, a comprehensive suite of tools was employed to facilitate a thorough characterization of the malware’s behavior and interactions within the system (Figure 7).
Figure 7. How to perform dynamic analysis, along with the tools and samples utilized.
Regshot was utilized to capture and compare registry changes before and after the execution of the sample, enabling the identification of any persistent alterations or suspicious modifications to the system registry.
Procmon and Sysmon were deployed to monitor real-time processes and system activity, providing insights into file operations, registry access, and network communications initiated by the malware.
Task Manager was leveraged to observe resource utilization and process behavior, allowing for the detection of any anomalous or malicious processes running in the background.
Additionally, FakeNet was used to simulate a network environment, allowing the monitoring of potential outbound connections or command-and-control traffic, while Wireshark facilitated the capture and analysis of network packets, enabling the identification of malicious data transmissions.
Collectively, these tools provided a multi-faceted view of the malware’s behavior, allowing for a comprehensive analysis of its impact on both the operating system and network infrastructure.
Taking into account a similar analysis, similar to Section 4.1, in this case, dynamic analysis involves executing a malware sample in a controlled environment to observe its behavior, system interactions, and network activity in real time. For this, the first step is to create an isolated environment and to install the aforementioned tools. Before running the malware, capturing a baseline snapshot of the system, including file structures, registry settings, and network configurations, is necessary.
The next step includes executing the malware sample, observing its behavior as it interacts with the OS, files, and network. For this step, the K5 sample was used and its execution can be found in Figure 8. As observed, the system’s antivirus initially detects and blocks the malicious file. To gain a deeper understanding of the file’s true behavior, the antivirus program was disabled.
Figure 8. Running the keylogger K5.
The malware was then executed again, and system changes were carefully monitored, focusing on new processes, file creations, registry modifications, and other potential indicators of compromise. Tools such as Procmon and Regshot were employed for this purpose. Additionally, the execution of processes and their resource usage (CPU and memory) were tracked using Task Manager and Procmon, while Wireshark and FakeNet were utilized to monitor any network traffic or communication with external servers.
Following the execution, the post-execution state—including files, registry entries, and network activity—was compared to the baseline to identify any modifications or anomalies. This methodology was consistently applied across all the malicious samples analyzed, ensuring a uniform approach to monitoring and characterizing their behavior. All the data related to the analyzed malware samples is presented in Table 5.
Table 5. Gathering information from strings and indicators of compromise.

4.4. Preliminary Insights of Dynamic Analysis Data

From dynamic analysis, several assessments can be conducted regarding the malicious behavior of the analyzed files. Thus, with each execution of the files, all system parameters are modified, with every sample inducing changes—whether substantial or minor—in the operating system during each of our experiments.
Taking into account all the data presented in Table 5, it can be concluded that the activity at the network resource level is quite low in most of the cases studied. This aspect contradicts expectations, particularly in the case of adware or spyware, where the primary activity is typically user monitoring and the exfiltration of specific data. For the other categories, they can also function in an ‘offline’ mode, often employing methods to store data locally or, in some cases, utilizing alternative approaches to transmit the encrypted data to the legitimate user (as seen in ransomware).
The values provided by Regshot (changes at the registry level) have a significant impact on the analysis of malware behavior, particularly in identifying changes carried out to the system registry.
These values provide valuable insights into how a malicious file interacts with the system. Thus, one crucial piece of information is about persistence mechanisms used by different types of malware. Trojans, spyware, or ransomware modify registry keys to ensure they persist across system reboots. Another important form of information given by these values is configuration changes (certain malware modify settings or configurations in order to mask their real behaviors—disable security features or bypass settings). Additionally, certain malware may modify firewall configurations or attempt to conceal its presence; however, changes in the registry can often reveal evidence of its execution, even if the file is no longer active.
The area represented by the changes at the system level directly impacts the processing or memory resources within the test system. This aspect translates into sudden increases in the value of the processing capacity or memory resources. This phenomenon can occur both during the execution of the file and while it is running, particularly in the case of Trojan-type malware. In the samples examined, most do not cause a significant increase in system resource usage, with the exception of ransomware files, whose impact is primarily attributed to the need to encrypt data.
A final aspect, which is extremely important in the case of a dynamic analysis, is given by the detection, at the antivirus level, of the malicious file. Therefore, this feature is imperatively necessary, especially in cases where the user of a system does not have all the technical information regarding the respective working environment. An efficient detection of an antivirus involves several problems solved early. In the current case, in which the testing was carried out with simulated network environments, the antivirus system was required to operate with the latest updates in a Windows and Ubuntu 22.04 virtual machine but in an offline environment. It proved effective in most cases, less for the categories of adware, keylogger, rat, spyware, and even Trojan. This is due to the encryption method of the code, unknown signatures or, in the case of ransomware files, too late detection.
Although these experiments primarily focused on the Windows operating system, an analysis was similarly conducted within the Ubuntu 22.04 operating system.

5. Evaluation and Discussion

The analysis of the selected malware samples, through both static and dynamic techniques, revealed several key findings. Static analysis provided insight into file characteristics such as entropy, imported functions, magic numbers, and file headers, allowing identification of suspicious patterns across malware categories. Dynamic analysis complemented this by exposing runtime behaviors, including system modifications, process creation, memory manipulation, and communication with command-and-control servers.
Five samples were selected from each malware category, rather than a single sample, to ensure that the analysis captures a broader and more representative spectrum of behaviors. These samples are not all from the same malware family, which allows the study to account for intra-category variability and reduces the risk of drawing conclusions based on the characteristics of a single instance. By including multiple, diverse samples, the results better reflect general patterns and trends within each category, strengthening the reliability and validity of both static and dynamic analyses. This approach ensures that the observed features do not pertain to a specific sample, but instead are indicative of the category in general.

5.1. Comparative Analysis of Malware Characteristics

Among the examined files, backdoor samples exhibited minimal observable activity, highlighting their stealth capabilities, whereas adware unexpectedly engaged in file system and memory modifications beyond mere advertisement display. Although static analysis was able to provide certain key characteristics on the malicious nature of the analyzed files, for a clearer conclusion on their real behavior, it was similarly necessary to involve dynamic analysis, which outlined the possibility of evaluating these types of files as accurately as possible.
In the analyzed examples, adware files were identified as malicious through their file type and headers, moderate entropy, and creation or modification of registry keys in order to keep their persistence. What is important and unexpected was the activity in network area that was presented in just one sample.
For backdoor files, static analysis revealed the presence of obfuscated code or packing techniques implemented to evade detection, while dynamic analysis indicated activities such as the creation or modification of processes to maintain persistence, along with alterations to the registry and file system.
Files such as keyloggers and Remote Access Trojans (RATs) were not effectively analyzed through static methods as a result of their employment of encryption techniques. However, dynamic analysis proved more informative, revealing network-related processes and the establishment of persistence via registry keys or startup entries.
Files containing malware exhibited high entropy and suspicious strings that indicate their true behavior. During dynamic analysis, these files were identified by observing modifications to the file system and registry, as well as changes to system configurations.
Ransomware files were identified through static analysis by their creation of memory processes and the presence of APIs utilized for data encryption. During dynamic analysis, these files caused significant damage to the test environment by encrypting all information.
Spyware files contained strings indicative of data collection activities, such as harvesting passwords and browsing history, and employed obfuscation techniques to evade static detection. During dynamic analysis, these files attempted to transmit the collected data over the network and modified files and registry keys to maintain stealth.
Trojan files were identified in static analysis by their disguise as legitimate software and the presence of API imports related to file operations. During dynamic analysis, they were recognized by their modifications to the file system and registry to ensure persistence.

5.2. Key Indicators for Malware Identification

In order to evaluate the effectiveness of malware identification, we focused on a set of key indicators that combine theoretical expectations with practical observations. Static features, such as file entropy and file type consistency, provide insight into whether a sample exhibits characteristics typical of its malware category.
Dynamic behaviors, including antivirus detection, registry modifications, process creation, and network activity, reveal whether the malware executes as expected in a controlled environment. By analyzing these indicators across samples, we can determine which files were correctly identified as malicious and highlight patterns that contribute to reliable detection within each category.
Overall, the comparative analysis between the expected and observed characteristics of the analyzed malware samples highlights both consistencies and deviations from theoretical behavior patterns. While certain categories, such as ransomware and spyware, generally aligned with expectations—showing distinct file manipulations, registry changes, and detectable network activity—others, like adware and RATs, exhibited partial or inconsistent behaviors. These discrepancies may be attributed to evasion techniques, sample obfuscation, or antivirus limitations in dynamic environments.
The results, presented in Table 6, reinforce the necessity of combining static and dynamic indicators, as neither approach alone provides a complete understanding of malware behavior. This multi-perspective evaluation thus contributes to improving the accuracy and reliability of malware classification and detection strategies.
Table 6. Observed versus expected indicators of malicious activity across malware types.
The analysis revealed notable variations in both static and dynamic characteristics among samples belonging to the same malware category. While certain attributes—such as file type, registry modifications, and process creation—were consistently present across all samples, parameters like entropy values, antivirus detection rates, and network activity exhibited measurable differences. These inconsistencies highlight that even within the same category, malware variants often employ distinct evasion techniques or payload delivery mechanisms.

5.3. Independent Indicators: Entropy and Antivirus Detection

To enhance the interpretability of the results and enable clearer pattern recognition across malware categories, graphical representations were incorporated alongside tabular data.
In this study, entropy was selected as a key parameter because it provides a robust static measure of randomness or disorder within a file, which can indicate potential malicious content. Complementarily, antivirus detection outcomes were included as a dynamic parameter, reflecting how security solutions respond to the actual execution of malware in a controlled environment.
Other observed indicators, such as specific process creations, registry modifications, or network communications, were recorded in a binary format (YES/NO) for each sample. These features often vary significantly between individual files within the same malware category, making direct comparative analysis challenging. Including them in a table allows us to capture important behavioral patterns without misrepresenting their variability, while the entropy and antivirus parameters provide consistent quantitative metrics suitable for cross-sample comparison.
The diagram in Figure 9 provides insights into the entropy values of various files, which typically indicate the degree of randomness or complexity within those files.
Figure 9. File entropy distribution.
From these values, it can be concluded that:
  • The files labeled A1, A3, A5, B2, B4, K1, K3, and K5 display relatively high entropy levels, suggesting that these files may be obfuscated or packed. This is typical for malware attempting to evade detection by security tools. The malicious files corresponding to these labels are categorized as adware, backdoor, and keylogger.
    The files with B2, B4, K1, K3, and K5 demonstrate high entropy values because keyloggers and backdoor files often utilize obfuscation or packing to avoid detection, aligning with the typical behavior of packed or encrypted files.
    The high entropy values observed in the adware files in the diagram are unusual. This could indicate that some of the adware samples in this dataset may have implemented more sophisticated packing or encryption techniques to avoid detection.
  • Files such as M2, M4, Rt1, Rt2, Rt4, and S1 indicate moderate entropy values, which might indicate that while they are somewhat complex, they do not exhibit the same level of obfuscation or encryption as the previous category. The malicious files corresponding to these labels are categorized as malware and spyware.
    This aligns with the general behavior of these categories of malware that attempt to avoid detection, either by using obfuscation or packing techniques.
  • Files such as T2, T4, and S5 appear to have lower entropy, suggesting they may be simpler or less obfuscated, which could point to less sophisticated malware. The malicious files corresponding to these labels are categorized as Trojan and spyware.
    Conversely, files in the spyware and Trojan categories tend to have lower entropy, potentially indicating less obfuscation. The moderate entropy levels of ransomware files indicate the presence of some form of obfuscation, but not necessarily encryption across all samples. Trojans exhibit lower entropy values compared to other malware categories because they are less obfuscated or packed to rely on their “legitimate” appearance to deceive users or antivirus software.
The diagram in Figure 10 demonstrates Antivirus detection results for malicious files. From these values, it can be concluded that
Figure 10. Antivirus detection results for malicious files.
  • Almost all files were detected by the antivirus effectively.
  • The antivirus detected the analyzed files regardless of their type.
  • The non-detected files are spread across various malware categories (adware, keyloggers, ransomware, Trojans). This indicates that the antivirus has some limitations in detecting certain malware types, and there may be specific characteristics of these files that allow them to evade detection.
The fact that multiple malware types have not been detected suggests that these samples might be using advanced evasion techniques such as obfuscation, encryption, or other methods designed to bypass antivirus detection. It could also suggest that the antivirus may not be up to date or may have specific weaknesses when dealing with certain malware families. Considering that the experiments were performed into an offline environment, the antivirus could not access some online databases to quickly update its own database.
All this information can have a significant implication for dynamic analysis:
  • Since dynamic analysis typically observes runtime activities (such as file system changes, registry modifications, and network communications), undetected malware may continue to operate without being flagged by security tools.
  • Because certain malware samples evade detection, additional monitoring during dynamic analysis may be necessary.
The visualizations from Figure 9 and Figure 10 complement the numerical tables by offering a clearer overview of trends and behavioral distinctions, while basic statistical analysis—such as mean and variance comparisons—was applied to validate the observed patterns. This combined presentation significantly improves the analytical depth of the study and strengthens the robustness of the reported findings.
All these findings demonstrate the value of combining static and dynamic approaches to achieve comprehensive malware characterization and inform future automated detection strategies.

5.4. Response to Research Questions

To strengthen the interpretive value of the findings, this section revisits the research questions initially formulated in Section 1. Each question is addressed in light of the experimental results obtained through the combined static and dynamic analysis. The goal is to assess the extent to which the study objectives have been achieved and to clarify the main insights derived from the observed malware behaviors.
  • Which hybrid features (entropy, API calls, execution traces) most effectively differentiate malware types?
    The analysis revealed that a combination of entropy values (from static analysis) and behavioral indicators, such as API calls and antivirus detection or the way registries and processes were modified (from dynamic analysis), provided the most effective differentiation between malware types. High entropy values were particularly indicative of obfuscated or compressed files (commonly seen in ransomware and Remote Access Trojans), while distinctive API call patterns—such as registry modification, process injection, or network communication—were characteristic of spyware, RATs, and backdoors. When these hybrid features were analyzed together, they provided a clearer distinction between categories than when considered independently.
  • How do static and dynamic indicators correlate across categories?
    The results showed a moderate to strong correlation between certain static and dynamic metrics. For example, samples with high entropy typically exhibited complex execution behavior, including active network connections or process creation (there were exceptions, of course, but this was the general trend). In contrast, files with low entropy and minimal static anomalies tended to exhibit limited or no activity in dynamic execution.
  • How consistent are the static and dynamic characteristics across multiple samples within the same malware category?
    The consistency of features within each malware category varied by family and level of obfuscation. Categories such as ransomware and adware exhibited greater internal consistency (with similar entropy ranges, file types, and dynamic patterns), while RATs and backdoors exhibited greater variability due to their modular structures and attack evasion techniques. Despite these differences, key behavioral traits, such as registry changes and network communication, were observed in nearly all samples within each category, suggesting that certain operational characteristics remain stable identifiers, regardless of implementation differences.

5.5. Validation and Reproducibility

To assess the consistency and reliability of malware detection, VirusTotal was employed as an external validation tool. Each sample included in this study was submitted to VirusTotal to verify detection results across multiple antivirus engines.
The analysis revealed that certain samples were classified differently compared to our categorization: for instance, the adware sample A1 was labeled as a Trojan or backdoor in VirusTotal. Such discrepancies can arise due to several factors, including differences in detection heuristics, signature databases, and the focus areas of individual antivirus engines.
Variations in the operational environment, the presence of polymorphic or obfuscated code, and updates in antivirus definitions over time can also contribute to inconsistent labeling. These findings highlight the importance of cross-validation and careful interpretation when relying on antivirus tools, underscoring the need for reproducible methodologies and the combination of both static and dynamic analysis to achieve robust malware characterization.
It is important to note that malware samples can exhibit diverse behaviors and may be created using different development tools, frameworks, or obfuscation techniques, leading to variations in how they manifest across different environments. These differences can result in inconsistent detection by antivirus engines and divergent classifications in external databases. In this study, the classification of each sample was guided primarily by the MalwareBazaar indexing system, which provides a standardized reference for categorizing malware families. By relying on MalwareBazaar, we ensure a consistent baseline for analysis, while acknowledging that behavioral differences and environment-specific execution may influence dynamic observations and external detection results.
In the results tables, certain behavioral indicators were represented using simple “Yes/No” values. This choice was made because the malware samples exhibited highly variable interactions with the system, and for some features, no consistent or representative value could be identified across all samples within a given category. For example, in dynamic analysis process, RegShot was utilized to capture registry snapshots before and after malware execution, thereby identifying the specific keys and values that were added, modified, or deleted. After running a malware sample, RegShot’s different output might report dozens of new keys, changes in existing values, or deletion of entries—data that can be structured into a comparison table across different malware samples (e.g., “Keys Added/Keys Modified/Keys Deleted”). Because registry behavior can vary significantly across samples—even those of the same family—such a table aids in quickly visualizing patterns of system modifications, enabling cross-sample comparison in a standardized manner.
By using a binary approach, it highlighted the presence or absence of specific behaviors without over-interpreting inconsistent or non-comparable data, ensuring clarity while preserving the practical insights derived from both static and dynamic analyses.

5.6. Comparison with Existing Literature

To gain a more comprehensive understanding of the field and the experimental results obtained, it is essential to conduct a comparative analysis with the existing literature.
Considering [], it is found that the malware analysis process is similar to the one utilized in this work, including several tools and solutions such as Wireshark, Process Explorer, or IDA Pro. Thus, through them, malware characteristics are extracted and a comparison of the effectiveness of each is performed in order to determine the best method for analyzing malicious files. The files used in the cited work include the Agent Tesla malware family, and the common characteristics are highlighted through a table, which includes the analysis methods and the most important strings and actions performed by the malicious file at the file, process, registry, and network section level of the victim machine.
However, throughout the paper [], the aim is to visualize the most efficient analysis method, compared to the present paper where static and dynamic analysis are combined for a more robust and comprehensive analysis.
In [], the emphasis is placed on the sandbox area and dynamic analysis of a malicious file. Thus, the advantages of using a sandbox environment are highlighted, through constant monitoring, at the level of an integrated platform, of aspects such as Process Monitoring, System Monitoring, Disk or Memory Usage, Network Monitoring, etc. Therefore, the focus of the paper is not on the actual analysis of malicious files, but on the presentation of the integrated platform, which includes the monitoring of various processes. In contrast to the present paper, this study directs attention to a more in-depth examination of various characteristics, including antivirus detection, file relocation, and the alterations made by malicious files at the level of system registry keys and values.
More comprehensive experiments are presented in [], which includes a dynamic analysis based on a similar approach to the present work, including several solutions such as Regshot, Wireshark, Fakenet, etc. The analysis in the cited work is based on crypto-bot files and includes three different files, which are analyzed both statically and dynamically. The conclusions of the work include a comparison between samples from the same family which, as expected, include common features. In addition, the work highlights several prevention and protection measures against similar attacks. However, in contrast to the present work, it is observed that the analyzed attacks in this study were significantly more diverse, encompassing a large number of different file types, including those from various malware families. Such an approach is more comprehensive and can lead to a considerably more efficient and a more user-friendly database, even within the framework of machine learning methods.
Another important piece of work, which needs to be compared with the results obtained in this work, is []. This paper presents several different solutions, through which a static and dynamic analysis of malicious files is performed, similar to the aspects presented in this work. These aspects are integrated through a software code, which includes several characteristics given by the analyzed malware file (njRAT). However, at the level of this research, the specific behaviors of the malware are not recorded, but only the presence or absence of integrated characteristics of the malicious file are tested (if it reveals activity at the network level and if the file performs various functions such as calls to various types of resources). In this work, on the other hand, several executions of RAT-type files are performed, which are analyzed comparatively, in order to identify various common characteristics, an aspect that also integrates the analysis found in the cited work, expanding on it in a more advanced form.
Similarly to our approach, in [], 40 malware samples are also considered. However, the identified study is limited to the top 10 malware threats between August 2019 and January 2020. In both cases, the sample can be considered small, but it can be considered sufficient for exploring attack documentation and analysis strategies. Other common technologies of the two studies include simulated network access, studying attack patterns and trends. What is different in this work is the advanced way in which these malware samples are analyzed, both through static analysis and through dynamic analysis. Also, the malware samples used in this study are much more up to date, including samples from 2024 and 2025.
In the work [], the performance evaluation of some machine learning algorithms for the detection of malicious files is included. In this work, this aspect is not yet addressed, outlining the extraction of key features for each category of malware and their common aspects. What is interesting is that this work includes the fact that the malware analysis is also based on MalwareBazaar files, and the feature extraction is also based on the features used in this work such as file type, entropy, API calls, and sections in the PE file. Therefore, in this work, the feature work methods that this present work will also follow are determined.
In [], static and dynamic analysis methods are integrated to perform the analysis of a dataset with 5000 samples, which include categories comparable to those used in this present work. These are introduced in a sandbox environment, which includes tools similar to those used in this present work. The problem with this work is given, firstly, by the language barrier and, secondly, by the fact that the experimental data are not specified. The results from the tables in the work include the evaluation of a machine learning model for various machine learning algorithms. Thus, the area of static and dynamic analysis is not conclusively highlighted.
Similarly to [], this paper utilizes files from MalwareBazaar, which are analyzed dynamically. The dataset used in the cited work is larger than the one used in the current work, but their evaluation is based on machine learning algorithms. However, the labeling of the files is based on VirusTotal, one of the existing tools in this work. The malware file analysis method includes a predefined sandbox, and, in addition, the static analysis of the files is not taken into account. Thus, in the current work, there is the advantage of the complete analysis of the malicious files (hybrid analysis), which is performed in a test environment that simulates real resources (a virtual machine, not a sandbox). However, the part of the analysis with machine learning methods remains a disadvantage for this paper and that will be covered in the feature works.
Compared to previous studies that focused primarily on either static or dynamic analysis, this work introduces a more integrated and comparative approach by combining both perspectives within a unified experimental framework. Unlike prior research that often relied on homogeneous or family-specific malware datasets, this study employed a diverse collection of samples across multiple categories—ransomware, Trojans, adware, spyware, and backdoors—allowing for a more comprehensive understanding of behavioral variations and detection patterns. The integration of hybrid features, including entropy metrics and runtime process monitoring, demonstrates the added value of correlating static and dynamic indicators to improve threat characterization.
In order to fully cover the important aspects of the paper, it should be highlighted that hybrid features combining static and dynamic analysis provide a robust approach to malware differentiation. In this way, a combination of the value of the entropy and API calls is the most discriminative, allowing malware files to be separated based on both code structure and runtime behavior.
While static analysis offers valuable preliminary indicators, dynamic analysis is essential for capturing runtime behaviors that cannot be predicted through static inspection alone. This distinction is evident in two key examples: Trojan malware with suspicious imports typically results in observable actions during dynamic analysis, such as file modifications, whereas backdoor files often exhibit runtime communication and stealth behaviors that remain undetected through static features. Thus, hybrid analysis provides a complementary approach, ensuring more comprehensive coverage.
Observed behaviors and feature extraction are highly dependent on the analysis environment. Therefore, hybrid analyses must account for sandbox fidelity to prevent false negatives or incomplete capture of malicious behavior. In this study, rather than using a pre-existing sandbox, a controlled environment using virtual machines and various monitoring tools to conduct our analysis was developed.
Hybrid analysis must consider operating system-specific artifacts, as features that are discriminative in Windows may be irrelevant in Linux, and vice versa. Comparative studies emphasize the importance of OS-aware feature extraction to ensure accurate analysis. This aspect will be addressed in greater detail in future work.
Finally, the results directly address the research questions by identifying discriminative features for malware classification, revealing gaps in existing detection methods, and proposing pathways for improving both analytical approaches and cybersecurity practices. Specifically, this study highlights the principal static and dynamic features of malware that can inform the design of more robust automated anomaly detection systems, conduct a comparative analysis of malware behaviors across different families and operating systems, and assess the effectiveness of feature-based detection in realistic testing environments. This evaluation highlights both practical challenges and opportunities for enhancing security monitoring.

5.7. Countermeasures

To mitigate the threats posed by the malware types analyzed, several countermeasures can be recommended. At the system level, implementing up-to-date antivirus and endpoint protection solutions, along with regular signature- and behavior-based updates, can help detect and block known and emerging threats. In parallel, network-level defenses, including firewalls, intrusion detection systems, and traffic monitoring, are essential for identifying suspicious communications, especially from backdoors and RATs.
In addition, enforcing strict access controls, timely patching of software vulnerabilities, and using sandbox environments for suspicious files can reduce the risk of successful infections.
From an operational perspective, user training, especially regarding phishing and social engineering tactics, remains a vital preventative measure. This paper did not include the methods by which malicious files were introduced into the victim hosts, but phishing can be considered one of them.
Finally, the integration of static and dynamic analysis techniques for continuous monitoring and automatic feature extraction can improve early detection and the overall resilience of IT infrastructures against evolving malware threats. Moreover, if the network is more complex, the existence of systems such as Intrusion Detection System, Intrusion Prevention System, or Security Information and Event Management System is also recommended.
All these measures can lead to avoiding infection with malicious files and to a more efficient security environment.

6. Conclusions

In this work, a comparative study was conducted on the characteristics of some malicious files, using various software solutions and test environments, which led to several significant findings.
First is that malicious files can adapt to the operating environment, often having, even from the initial code, characteristics specific to each operating system in order to ensure their persistence within the system while employing various methods to conceal their presence and their real characteristics.
Second is that, although some malicious files are easily detectable by the antivirus system, within each operating system, in some cases, their detection is ineffective or is performed too late (in the case of ransomware), thus creating the possibility of information exfiltration.
Third is that, although each type of analysis has its advantages, for a correct and coherent conclusion on a malicious file, it is necessary to perform both types of experiments, the characteristics complementing each other.
This study presented a comparative framework for analyzing malware using both static and dynamic methodologies, focusing on the identification of discriminative features that can enhance automated detection systems. By examining multiple samples from distinct malware categories—such as adware, backdoor, Trojan, spyware, RAT, and ransomware—the research highlighted that no single analytical technique can provide complete insight into malicious behavior.
Static analysis is much faster and eliminates the risk of contamination of the working environment. At the same time, static analysis is often able to reveal indicators of compromise that remain invisible during execution, especially when the malicious file is activated only under certain conditions or after a period. Therefore, this approach is extremely valuable in the preliminary sorting and classification phases.
Dynamic analysis brings a practical and contextualized perspective on the behavior of a malicious file in its execution environment. The main advantage lies in the possibility of observing the real actions of the code: network connections, registry changes, newly created processes, etc.
The results indicate that hybrid features—particularly entropy, API calls, and execution traces—are the most effective indicators for distinguishing between malware types. Furthermore, the study demonstrated that environmental realism plays a critical role in the reliability of behavioral observation, as malware may adapt or evade poorly configured sandboxes. By analyzing five distinct samples per category, the research captured intra-category diversity, providing a more accurate representation of how malware behaves in real-world conditions.
The paper contributions can be summarized as follows:
  • Several discriminative static and dynamic features of malware were identified, which can inform the development of more robust automated anomaly detection systems.
  • A comparative analysis of malware behaviors across different families and operating systems was conducted.
  • The effectiveness of feature-driven detection was examined in controlled yet realistic environments, revealing practical constraints and directions for strengthening security surveillance mechanisms
The findings from this study suggest that future work should focus on improving the accuracy and coverage of malware detection systems, including developing more effective feature extraction techniques, refining dynamic analysis methodologies, and incorporating real-time monitoring to capture and analyze complex malware behaviors. Additionally, enhancing the ability to detect malware across different operating systems and environments will be crucial for ensuring a comprehensive defense against the ever-evolving landscape of cyber threats.
Future work will also focus on transforming the findings of this study into practical and automated detection systems. Specifically, the static and dynamic features extracted during the experiments—such as entropy values, API call sequences, registry modifications, and network communication patterns—will be systematically integrated into machine learning models for malware classification and anomaly detection. This approach will allow the evaluation of various algorithms to determine which provides the best balance between detection accuracy and computational efficiency.
Ultimately, the findings contribute to the ongoing advancement of malware forensics and provide a foundation for building more robust, adaptive, and automated cybersecurity defense mechanisms.

Author Contributions

Conceptualization, M.-M.A., A.V. and C.B.; methodology, M.-M.A., A.V. and C.B.; software, M.-M.A.; validation, M.-M.A.; formal analysis, M.-M.A.; investigation, M.-M.A.; resources, M.-M.A., A.V. and C.B.; data curation, M.-M.A.; writing—original draft preparation, M.-M.A.; writing—review and editing, A.V. and C.B.; visualization, M.-M.A., A.V. and C.B.; supervision, C.B.; project administration, M.-M.A., A.V. and C.B. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data are available upon request.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
APTAdvanced Persistent Treats
CPUCentral Processing Unit
EXEExecutable file
HTTPHypertext Transfer Protocol
IPInternet Protocol
OSOperating System
PDFPortable Document Format
RAMRandom-Access Memory
SHASecure Hash Algorithm
URLUniform Resource Locator

References

  1. Ebert, N.; Schaltegger, T.; Ambuehl, B.; Geppert, T.; Trammell, A.; Knieps, M.; Zimmermann, V. Learning from safety science: Designing incident reporting systems in cybersecurity. J. Cybersecur. 2025, 11, tyaf019. [Google Scholar] [CrossRef]
  2. Osburn, L.D. Telling stories about vendors: Narrative practices to negotiate risk and establish an organizational cybersecurity culture. J. Cybersecur. 2025, 11, tyae030. [Google Scholar] [CrossRef]
  3. Kazi, M.A. Detecting Malware C&C Communication Traffic Using Artificial Intelligence Techniques. J. Cybersecur. Priv. 2025, 5, 4. [Google Scholar] [CrossRef]
  4. Mills, A.; Legg, P. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. J. Cybersecur. Priv. 2021, 1, 19–39. [Google Scholar] [CrossRef]
  5. Bakdash, J.Z.; Hutchinson, S.; Zaroukian, E.G.; Marusich, L.R.; Thirumuruganathan, S.; Sample, C.; Hoffman, B.; Das, G. Malware in the future? Forecasting of analyst detection of cyber events. J. Cybersecur. 2018, 4, tyy007. [Google Scholar] [CrossRef]
  6. Almarri, S.; Bodokhi, A.; Frikha, M. A Review of the Recent Trends in Mobile Malware Evolution, Detection, and Analysis. IEEE Access 2025, 13, 108415–108445. [Google Scholar] [CrossRef]
  7. Chandran, S.; Syam, S.R.; Sankaran, S.; Pandey, T.; Achuthan, K. From Static to AI-Driven Detection: A Comprehensive Review of Obfuscated Malware Techniques. IEEE Access 2025, 13, 74335–74358. [Google Scholar] [CrossRef]
  8. Malik, B.; Khalid, J.; Arif, H.; Sadiqa, A.; Tanveer, A.; Mumtaz, A.; Afzal, Z.; Azhar, S. Comparing Hybrid Tool for Static and Dynamic Object-Oriented Metrics. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 2019, 10, 68. [Google Scholar] [CrossRef]
  9. Panda, B.; Bisoyi, S.; Panigrahy, S. Behavioural Analysis of Malware by Selecting Influential API Through TF-IDF API Embeddings. Int. J. Adv. Comput. Sci. Appl. 2025, 16, 75. [Google Scholar] [CrossRef]
  10. Çatak, F.O. Mal-API-2019. Mendeley Data V2; Elsevier: Amsterdam, The Netherlands, 2019. [Google Scholar] [CrossRef]
  11. Pandian, A.P.; Anakath, A.S.; Kannadasan, R.; Ravikumar, K.; Abdul Kareem, D. Forensic Investigation of Malicious Activities in Digital Environments. In Proceedings of the 2024 4th International Conference on Data Engineering and Communication Systems (ICDECS), Bangalore, India, 22–23 March 2024; pp. 1–5. [Google Scholar] [CrossRef]
  12. Siva Surya, R.; Varuneshan, R.; Heltin Genitha, C. Designing a Static Malware Analysis Framework for Detecting Malicious Malware Code with Ghidra. In Proceedings of the 2025 3rd International Conference on Self Sustainable Artificial Intelligence Systems (ICSSAS), Erode, India, 11–13 June 2025; pp. 1696–1701. [Google Scholar] [CrossRef]
  13. Parkinson, S.; Khan, S.; Bray, J.; Shreef, D. Creeper: A tool for detecting permission creep in file system access controls. Cybersecurity 2019, 2, 14. [Google Scholar] [CrossRef]
  14. Orman, H. The Morris worm: A fifteen-year perspective. IEEE Secur. Priv. 2003, 1, 35–43. [Google Scholar] [CrossRef]
  15. Garber, L. Melissa Virus Creates a New Type of Threat. Computer 1999, 32, 16–19. [Google Scholar] [CrossRef]
  16. Mohaisen, A.; Alrawi, O. Unveiling Zeus: Automated classification of malware samples. In Proceedings of the 22nd International Conference on World Wide Web (WWW ‘13 Companion), Rio de Janeiro, Brazil, 13–17 May 2013; Association for Computing Machinery: New York, NY, USA, 2013; pp. 829–832. [Google Scholar] [CrossRef]
  17. Denning, D.E. Stuxnet: What Has Changed? Future Internet 2012, 4, 672–687. [Google Scholar] [CrossRef]
  18. Adams, C. Learning the lessons of WannaCry. Comput. Fraud. Secur. 2018, 2018, 6–9. [Google Scholar] [CrossRef]
  19. Alkhadra, R.; Abuzaid, J.; AlShammari, M.; Mohammad, N. Solar Winds Hack: In-Depth Analysis and Countermeasures. In Proceedings of the 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kharagpur, India, 6–8 July 2021; pp. 1–7. [Google Scholar] [CrossRef]
  20. Axon, L.; Erola, A.; Agrafiotis, I.; Uuganbayar, G.; Goldsmith, M.; Creese, S. Ransomware as a Predator: Modelling the Systemic Risk to Prey. Digit. Threat. 2023, 4, 55. [Google Scholar] [CrossRef]
  21. Jaffe, J.; Floridi, L. Ransomware: Why it’s growing and how to curb its growth. Appl. Cybersecur. Internet Gov. 2024, 3, 38–64. [Google Scholar] [CrossRef]
  22. Hansel, M.; Silomon, J. Ransomware as a threat to peace and security: Understanding and avoiding political worst-case scenarios. J. Cyber Policy 2024, 9, 159–178. [Google Scholar] [CrossRef]
  23. Gomes, V.; Reis, J.; Alturas, B. Social Engineering and the Dangers of Phishing. In Proceedings of the 2020 15th Iberian Conference on Information Systems and Technologies (CISTI), Seville, Spain, 24–27 June 2020; pp. 1–7. [Google Scholar] [CrossRef]
  24. Gallagher, S.; Gelman, B.; Taoufiq, S.; Vörös, T.; Lee, Y.; Kyadige, A.; Bergeron, S. Phishing and Social Engineering in the Age of LLMs. In Large Language Models in Cybersecurity; Springer: Cham, Switzerland, 2024. [Google Scholar] [CrossRef]
  25. Barcan, A.; Badoi, M.; Nedianu, G.; Ciochiu, D.; Traistaru, C.; Enescu, N. Advanced Persistent Threats. In Proceedings of the 2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet), Bucharest, Romania, 19–20 September 2024; pp. 1–6. [Google Scholar] [CrossRef]
  26. Buchta, R.; Gkoktsis, G.; Heine, F.; Kleiner, C. Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends. Digit. Threat. 2024, 5, 39. [Google Scholar] [CrossRef]
  27. Butt, U.A.; Amin, R.; Mehmood, M.; Aldabbas, H.; Alharbi, M.T.; Albaqami, N. Cloud Security Threats and Solutions: A Survey. Wirel. Pers. Commun. 2022, 128, 387–413. [Google Scholar] [CrossRef]
  28. Pitkar, H. Cloud Security Automation Through Symmetry: Threat Detection and Response. Symmetry 2025, 17, 859. [Google Scholar] [CrossRef]
  29. Pallakonda, A.; Kaliyannan, K.; Sumathi, R.L.; Raj, R.D.A.; Yanamala, R.M.R.; Napoli, C.; Randieri, C. AI-Driven Attack Detection and Cryptographic Privacy Protection for Cyber-Resilient Industrial Control Systems. IoT 2025, 6, 56. [Google Scholar] [CrossRef]
  30. Brohi, S.; Mastoi, Q.-U.-A. AI Under Attack: Metric-Driven Analysis of Cybersecurity Threats in Deep Learning Models for Healthcare Applications. Algorithms 2025, 18, 157. [Google Scholar] [CrossRef]
  31. Mohamed Mohideen, M.A.; Nadeem, M.S.; Hardy, J.; Ali, H.; Tariq, U.U.; Sabrina, F.; Waqar, M.; Ahmed, S. Behind the Code: Identifying Zero-Day Exploits in WordPress. Future Internet 2024, 16, 256. [Google Scholar] [CrossRef]
  32. Berrios Vasquez, S.I.; Hermosilla Monckton, P.A.; Leiva Muñoz, D.I.; Allende, H. Zero-Day Threat Mitigation via Deep Learning in Cloud Environments. Appl. Sci. 2025, 15, 7885. [Google Scholar] [CrossRef]
  33. Shastry, A.S.; Shreyas, M.P.; Karthik, R.; Chinmaya, B.N.; Chethana, H.T.; Sarkar, S. A Comprehensive Linux Log Dataset with Root Cause and Remediation for Security Analysis. In Proceedings of the 2025 5th International Conference on Pervasive Computing and Social Networking (ICPCSN), Salem, India, 14–16 May 2025; pp. 654–659. [Google Scholar] [CrossRef]
  34. Jeyaram, A.; Muthukumaravel, A. Detect, Analyze, Act: Advancing Cybersecurity Investigations with Data Engineering and AI. In Proceedings of the 2024 Asian Conference on Intelligent Technologies (ACOIT), Kolar, India, 6–7 September 2024; pp. 1–6. [Google Scholar] [CrossRef]
  35. Hong, S.; Yue, T.; You, Y.; Lv, Z.; Tang, X.; Hu, J.; Yin, H. A Resilience Recovery Method for Complex Traffic Network Security Based on Trend Forecasting. Int. J. Intell. Syst. 2025, 2025, 3715086. [Google Scholar] [CrossRef]
  36. abuse.ch. MalwareBazaar. Available online: https://bazaar.abuse.ch/ (accessed on 24 August 2025).
  37. VirusTotal. VirusTotal—Free Online Virus, Malware and URL Scanner. Available online: https://www.virustotal.com/ (accessed on 15 August 2025).
  38. GNU File. File—Determine File Type. Available online: https://www.darwinsys.com/file/ (accessed on 15 August 2025).
  39. GNU Binutils Strings. Strings—Print the Strings of Printable Characters in Files. Available online: https://sourceware.org/binutils/docs/binutils/strings.html (accessed on 15 August 2025).
  40. Vector 35. Binary Ninja—Reverse Engineering Platform. Available online: https://binary.ninja/ (accessed on 15 August 2025).
  41. Winitor. Pestudio—Malware Analysis Tool. Available online: https://www.winitor.com/ (accessed on 15 August 2025).
  42. YARA. YARA—The Pattern Matching Swiss Knife for Malware Researchers. Available online: https://virustotal.github.io/yara/ (accessed on 15 August 2025).
  43. wxHexEditor. wxHexEditor—Free Hex Editor. Available online: https://sourceforge.net/projects/wxhexeditor/ (accessed on 15 August 2025).
  44. Censys. Censys—Search Engine for Internet-Connected Devices. Available online: https://censys.io/ (accessed on 15 August 2025).
  45. Shodan. Shodan—The Search Engine for the Internet of Things. Available online: https://www.shodan.io/ (accessed on 15 August 2025).
  46. Microsoft Sysinternals. Process Monitor (Procmon). Available online: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon (accessed on 15 August 2025).
  47. Microsoft Sysinternals. Sysmon—System Monitor. Available online: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon (accessed on 15 August 2025).
  48. Wireshark Foundation. Wireshark—Network Protocol Analyzer. Available online: https://www.wireshark.org/ (accessed on 15 August 2025).
  49. Regshot. Regshot—Registry Compare Utility. Available online: https://sourceforge.net/projects/regshot/ (accessed on 15 August 2025).
  50. Mandiant. FakeNet-NG—Dynamic Network Analysis Tool. Available online: https://github.com/mandiant/flare-fakenet-ng (accessed on 15 August 2025).
  51. Widiyasono, N.; Selamat, S.R.; Rizal, R.; Fidayan, A.; Mulyani, S.R.; Risnanto, S. Advanced Malware Analysis Methods: Behaviour-Based Detection and Reverse Engineering. In Proceedings of the 2024 18th International Conference on Telecommunication Systems, Services, and Applications (TSSA), Bali, Indonesia, 17–18 October 2024; pp. 1–5. [Google Scholar] [CrossRef]
  52. Choudhary, V.; Singh, S.; Atrey, S.; Kumar, A.; Kalita, S. A Custom Sandbox for Malware Threat Analysis to Safeguard Infrastructure. In Proceedings of the 2025 3rd International Conference on Disruptive Technologies (ICDT), Greater Noida, India, 7–8 March 2025; pp. 471–475. [Google Scholar] [CrossRef]
  53. Rahman, R.U.; Acharya, A.; Deb, S.; Panchal, P. Dynamic Forensic Analysis of CryptBot Malware. In Proceedings of the 2025 IEEE 14th International Conference on Communication Systems and Network Technologies (CSNT), Bhopal, India, 7–9 March 2025; pp. 376–383. [Google Scholar] [CrossRef]
  54. Sinha, A.K.; Sai, S. Integrated Malware Analysis Sandbox for Static and Dynamic Analysis. In Proceedings of the 2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT), Delhi, India, 6–8 July 2023; pp. 1–5. [Google Scholar] [CrossRef]
  55. Kamdan; Pratama, Y.; Munzi, R.S.; Mustafa, A.B.; Kharisma, I.L. Static Malware Detection and Classification Using Machine Learning: A Random Forest Approach. Eng. Proc. 2025, 107, 76. [Google Scholar] [CrossRef]
  56. Khalda, K.; Wibowo, D.K. Analisis Perilaku Malware Menggunakan Pendekatan Analisis Statis dan Dinamis. J. Sains Nalar Dan Apl. Teknol. Inf. 2025, 4, 1–8. [Google Scholar] [CrossRef]
  57. Syeda, D.Z.; Asghar, M.N. Dynamic Malware Classification and API Categorisation of Windows Portable Executable Files Using Machine Learning. Appl. Sci. 2024, 14, 1015. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Multiple requests from the same IP address are counted as one view.
Download PDF
Identifying and Modeling Barriers to Compliance with the NIS2 Directive: A DEMATEL Approach
Previous