afacool/malware_analyzer.py — explained in plain English
Analysis updated 2026-05-18
Quickly screen a suspicious .exe file for malware indicators before opening it.
Learn the techniques professional malware analysts use to inspect Windows executables.
Cross-check a file's hash against 70+ antivirus engines through VirusTotal integration.
| afacool/malware_analyzer.py | 0xhassaan/nn-from-scratch | 3ks/embedoc | |
|---|---|---|---|
| Stars | 0 | 0 | — |
| Language | Python | Python | Python |
| Last pushed | — | — | 2023-06-08 |
| Maintenance | — | — | Dormant |
| Setup difficulty | easy | moderate | hard |
| Complexity | 2/5 | 4/5 | 1/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Just pip install pefile rich requests, then run against a file, VirusTotal lookup needs a free API key.
This tool examines Windows program files, the .exe and .dll files that run on Windows computers, and looks for signs that they might be malicious, without actually running the file. This kind of inspection is called static analysis, meaning the program only reads the file's contents and structure rather than executing it and watching what it does. It works by pulling apart the file's internal structure, the same format Windows itself uses to understand how to load and run a program, and checking several warning signs at once. It measures how random the file's data looks, since malware is often compressed or scrambled to hide its real contents, which shows up as unusually high randomness. It also checks for known tools that pack or protect files in ways commonly used to evade detection, and it scans the list of Windows system functions the program plans to call, flagging combinations often used for things like injecting code into other programs, logging keystrokes, or covertly connecting out to the internet. On top of that, it searches the file's readable text for suspicious patterns like hardcoded server addresses, references to known hacking tools, or commands that try to hide their own tracks. Optionally, it can also check the file's cryptographic fingerprint against VirusTotal, a service that scans files using more than seventy different antivirus engines at once. All of these checks feed into a single risk score from zero to one hundred, with a color coded verdict ranging from clean to high risk, along with a full breakdown of exactly which signals contributed to that score. Results can be saved as a structured JSON file for further processing. The tool is honest about its limits: since it never actually runs the file, it cannot see what the program would really do if executed, such as making network connections or changing system settings, and clever malware can sometimes hide from this kind of inspection. The author recommends pairing it with sandbox tools that do watch real behavior for a fuller picture. It requires Python and a few extra packages to install, and its stated purpose is educational and defensive security work on files you own or have permission to examine. It is released under the MIT license.
A command-line tool that statically inspects Windows exe and dll files for malware indicators, producing a 0-100 risk score without ever running the file.
Mainly Python. The stack also includes Python, pefile, rich.
Free to use, modify, and distribute for any purpose.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.