Pestudio: Initial malware assessment made simple

Malicious executables often attempt to hide their behavior and evade detection. By doing so, they present anomalies and suspicious patterns. Pestudio is a free tool that allows you to perform an initial assessment of a malware without even infecting a system or studying its code.


Pestudio shows indicators of the analyzed executable

Pestudio works on any Windows machine without installation. Its footprint is zero – it makes no modifications to the system. Since the tool never starts the executable being analyzed, one does not even need a sandbox to analyze malware. There is essentially no risk of infection.

“My motivation for developing Pestudio was to master the inside workings of the executable file format. One of the biggest challenges was to gain a deep understanding of the specification of the executable file format as described by Microsoft. In many aspects, this task was time-consuming. Many elements of the specification are neither intuitive nor fully documented,” Pestudio author Marc Ochsenmeier told Help Net Security.

At the moment Pestudio runs on Linux under Wine, but an upcoming release will provide a native Linux version.

“I want to increase the performance of the tool in order to analyze malware samples in bulk. I’m also considering the numerous requests to provide an interface with Yara, Cuckoo Sandbox, and Malware Attribute Enumeration and Characterization (MAEC),” says Ochsenmeier.