Malware Analysis Techniques, Tools, and AI Trends

Malware analysis is the discipline of studying malicious software to understand what it does, how it does it, and how to detect and stop it. Good malware analysis turns an unidentified suspicious file into actionable intelligence: specific indicators of compromise, a family classification, and a clear picture of the threat’s actual capabilities, rather than just a generic “malicious” flag from an antivirus engine.

This page covers the three core analytical approaches, the tools researchers actually use for each, and how AI is changing both malware itself and the analysis process used against it.

Static, Dynamic, and Behavioural Analysis

Static analysis examines a sample’s code without ever executing it: reviewing file headers, imported functions, embedded strings, and disassembled instructions. It is fast and inherently safe, but defeated by heavily obfuscated, encrypted, or packed samples designed specifically to resist inspection.

Dynamic analysis runs the sample inside a controlled, isolated sandbox to observe what it actually does in real time: network connections, file changes, registry modifications. Sophisticated malware increasingly detects sandboxed environments and delays or alters its behaviour to evade this analysis.

Behavioural analysis extends dynamic analysis over a longer observation window, often across multiple sandbox runs, specifically to catch malware that deliberately delays malicious activity to defeat a single quick automated pass. Combining all three gives analysts the most complete picture available.

AI Is Changing Both Malware Creation and Malware Analysis

Verizon’s 2026 DBIR, produced in collaboration with Anthropic’s Safeguards Team, documented specific named cases of AI-assisted malware creation. LameHug used Alibaba’s Qwen large language model to generate polymorphic malware on demand — code that changes its own signature on each execution to evade signature-based detection. PromptLock was identified as the first documented AI-generated ransomware. The overall finding: AI is currently a force multiplier on established malware development techniques, not a fundamentally new category of threat.

Generating novel polymorphic variants on demand via an AI model, rather than through a hand-built polymorphic engine, meaningfully lowers the skill and effort barrier for producing malware that evades static signature matching. This increases the practical importance of behavioural analysis specifically: a sample’s signature can now be regenerated trivially, but its underlying behaviour, what it actually tries to do once executed, is considerably harder for an attacker to disguise.

Source: Verizon 2026 Data Breach Investigations Report, produced in collaboration with the Anthropic Safeguards Team.

Malware analysis is the process of studying malicious software to understand its functionality, origin, and impact, in order to support detection, mitigation, and threat intelligence. It typically combines static, dynamic, and behavioural analysis techniques.

Static analysis examines a sample's code, headers, and strings without executing it, making it fast and safe but ineffective against heavily obfuscated samples. Dynamic analysis executes the sample in an isolated sandbox to observe real-time behaviour, revealing what static analysis alone would miss.

Common tools include Ghidra and IDA Pro for static reverse engineering, Cuckoo Sandbox and ANY.RUN for dynamic behavioural analysis, VirusTotal for multi-engine scanning, YARA for pattern-based classification, and Volatility for memory forensics.

Verizon's 2026 DBIR, produced with Anthropic's Safeguards Team, documented cases including LameHug (using Qwen to generate polymorphic malware on demand) and PromptLock (the first documented AI-generated ransomware). AI is currently functioning mainly as a force multiplier on known techniques.

A malware sandbox is an isolated virtual environment where a suspicious file can be safely executed and observed without risk to the host system. Analysts use sandboxes like Cuckoo Sandbox and ANY.RUN to record network connections, file changes, and registry modifications during execution.