A learning + portfolio repository documenting hands-on malware analysis work, built around a reusable, defensive static-analysis pipeline pattern.
Defensive & educational scope. Everything here is for understanding and defending against malicious software. The labs are deliberately theoretical/simulated — no real malware is provided or executed. The scripts read a file's bytes and report observable indicators; they never run the sample.
malware-analysis/
├── README.md ← you are here
├── .gitignore
├── part-one/ ← COMPLETE
│ ├── README.md Part 1 overview + how to run
│ ├── docs/
│ │ └── documentation.md Full unit study guide (concepts → workflow → glossary)
│ ├── pseudocode/
│ │ └── static-analysis-pipeline.md Reusable, language-agnostic pattern
│ └── code/
│ ├── basic_analysis.py Technical lesson — analyzes "suspicious.bin"
│ └── pdf_analysis.py Graded lab — analyzes "suspicious.pdf"
└── part-two/ ← PENDING (placeholder)
└── README.md
| Part | Topic | Status |
|---|---|---|
| Part One | Introduction to malware analysis; static vs. dynamic; automating basic static analysis in Python | ✅ Complete |
| Part Two | To be added | ⏳ Pending |
All the static-analysis code in this repo is the same five-stage pipeline, just pointed at different artifacts:
Acquire → Extract → Fingerprint → Detect → Report
(read (printable (MD5 + (keyword (readable
bytes) strings) SHA-256) scan) summary)
basic_analysis.pyapplies it to a generic binary (suspicious.bin).pdf_analysis.pyapplies it to a PDF (suspicious.pdf) — only the file path and the suspicious-keyword list change.
The pattern itself is documented in
part-one/pseudocode/static-analysis-pipeline.md
so it can be reused for future artifact types.
Requires only the Python 3 standard library (os, re, hashlib) — no third-party installs.
# from the repo root
cd part-one/code
python3 pdf_analysis.py # expects a file named suspicious.pdf in the cwd
python3 basic_analysis.py # expects a file named suspicious.bin in the cwdBecause the labs are simulated, the sample files won't normally exist — the scripts handle that gracefully and print a read-error message instead of crashing.
Eugen Nyongesa — cybersecurity coursework & portfolio.
No license file is included yet. Add one (e.g. MIT) if you want others to reuse the code; until then, default copyright applies.