⚠️ Pracivo Security Lab — All samples are COMPLETELY SAFE text files. No real malware. For learning static analysis techniques only.
> PE Header Analysis
# PE (Portable Executable) format is the Windows .exe/.dll format
# The header reveals a lot before you even run the file
# Tool: PEStudio (free) — drag and drop any .exe
# Key sections to check:
# 1. Imports (DLLs and functions the malware uses):
# - kernel32.dll: basic Windows functions
# - advapi32.dll: registry, encryption, services
# - wininet.dll: network/internet functions
# - ws2_32.dll: raw sockets (network)
# - ntdll.dll: low-level NT functions (often used for evasion)
# 2. Compile timestamp:
# - Very recent = possibly new malware
# - 1970 or 2037 = timestamp was wiped (evasion)
# 3. Entropy:
# - Normal code: entropy ~5-6
# - Packed/encrypted: entropy >7 (UPX, custom packer)
# - High entropy section = encrypted payload inside
# 4. Sections:
# Normal PE: .text (code), .data (variables), .rsrc (resources)
# Suspicious: .pack, .upx, random names = packed malware
# Practice with PEStudio:
# 1. Download from: https://www.winitor.com
# 2. Drag any .exe onto it
# 3. Check: imports, entropy, strings, VirusTotal score