MalwareScope is a defensive cybersecurity project built by Prakhar Shakya, a cybersecurity student, to analyze suspicious files using static malware analysis techniques and an isolated virtual machine workflow.
The project performs file hashing, file type detection, string extraction, YARA rule scanning, Windows PE analysis, import table inspection, entropy analysis, heuristic risk scoring, and structured report generation in both JSON and HTML formats.
This project is designed for educational, defensive, and research purposes only.
Prakhar Shakya
Btech CSE: Cybersecurity
GitHub: https://github.com/Suspecting
LinkedIn: https://www.linkedin.com/in/shakyaprakhar
MalwareScope helps analyze suspicious files without directly executing them on the host machine. It focuses on static malware analysis, which means it inspects the file’s structure, strings, metadata, indicators, and suspicious patterns without running the file.
The project also includes a safe virtual machine workflow for controlled dynamic analysis using a Windows VM, host-only networking, monitoring tools, and snapshot rollback.
- MD5, SHA1, and SHA256 hash generation
- File type identification
- Readable string extraction
- Suspicious string detection
- YARA rule-based scanning
- Windows PE file analysis
- PE header inspection
- Import table extraction
- Section entropy analysis
- Heuristic malware risk scoring
- JSON report generation
- HTML report generation
- Isolated VirtualBox malware lab setup
- Host-only networking for safe VM isolation
- Snapshot rollback workflow for repeatable analysis
| Category | Tools / Technologies |
|---|---|
| Programming Language | Python |
| Malware Analysis | Static Analysis, PE Analysis, YARA |
| Python Libraries | pefile, yara-python, python-magic, rich |
| Virtualization | VirtualBox |
| Guest OS | Windows Analysis VM |
| Host OS | Kali Linux |
| Reporting | JSON, HTML |
| Network Safety | Host-only Adapter |
| Monitoring Tools | Sysinternals Suite, Regshot, TCPView, Procmon |
MalwareScope/
│
├── analyzer.py # Main analysis engine
├── pe_analyzer.py # Windows PE file analysis
├── yara_scanner.py # YARA scanning module
├── risk_score.py # Risk scoring logic
├── html_report.py # HTML report generator
├── README.md # Project documentation
├── .gitignore # Prevents samples/reports from being uploaded
│
├── rules/
│ └── suspicious_strings.yar
│
├── samples/
│ └── README.md
│
└── reports/
├── README.md
└── html/MalwareScope follows this analysis pipeline:
Input File
│
├── Calculate Hashes
│ ├── MD5
│ ├── SHA1
│ └── SHA256
│
├── Detect File Type
│
├── Extract Readable Strings
│
├── Search Suspicious Indicators
│ ├── cmd.exe
│ ├── powershell
│ ├── wscript
│ ├── http://
│ ├── VirtualAlloc
│ ├── WriteProcessMemory
│ └── CreateRemoteThread
│
├── Run YARA Rules
│
├── Analyze PE Structure
│ ├── Entry Point
│ ├── Image Base
│ ├── Sections
│ ├── Imports
│ └── Entropy
│
├── Calculate Risk Score
│
└── Generate Reports
├── Terminal Output
├── JSON Report
└── HTML ReportMalwareScope uses a heuristic-based scoring system.
| Score Range | Verdict |
|---|---|
| 0 - 34 | Low Risk |
| 35 - 69 | Suspicious |
| 70 - 100 | High Risk |
The risk score is based on indicators such as:
- Suspicious strings
- YARA rule matches
- Suspicious Windows API imports
- High entropy PE sections
- Possible packing or encryption indicators
- Command execution strings
- Network-related strings
- Registry modification indicators
MalwareScope checks for strings and APIs commonly seen in suspicious Windows binaries, such as:
cmd.exe
powershell
wscript
cscript
schtasks
reg add
http://
https://
VirtualAlloc
VirtualProtect
WriteProcessMemory
CreateRemoteThread
GetProcAddress
LoadLibrary
URLDownloadToFile
InternetOpenThese indicators do not automatically prove that a file is malware. They help identify files that require deeper analysis.
This project uses a defensive malware analysis safety model.
The recommended lab setup is:
Kali Linux Host
│
├── MalwareScope Static Analyzer
├── YARA Rules
├── JSON/HTML Reports
├── Packet Capture Tools
│
└── Isolated Windows VM
├── Host-only Network
├── Sysinternals Tools
├── Regshot
├── TCPView
├── Process Monitor
└── Snapshot RollbackRecommended VM safety settings:
Network: Host-only Adapter
Shared Clipboard: Disabled
Drag and Drop: Disabled
Shared Folders: Disabled
USB Passthrough: Disabled
Internet Access: Disabled
Snapshot: clean_stateExample host-only network configuration:
| Machine | IP Address |
|---|---|
| Kali Host | 192.168.56.1 |
| Windows VM | 192.168.56.101 |
VirtualBox adapter setting:
Attached to: Host-only Adapter
Name: vboxnet0
Promiscuous Mode: Deny
Cable Connected: YesWindows VM static IPv4 configuration:
IP Address: 192.168.56.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.56.1
DNS Server: 192.168.56.1Basic connectivity test:
ping 192.168.56.101From Windows VM:
ping 192.168.56.1Clone the repository:
git clone https://github.com/Suspecting/MalwareScope.git
cd MalwareScopeCreate a Python virtual environment:
python3 -m venv venv
source venv/bin/activateInstall dependencies:
pip install pefile yara-python python-magic richOn Kali/Linux, if python-magic does not work correctly, install system dependencies:
sudo apt update
sudo apt install -y libmagic1Run MalwareScope on a file:
python analyzer.py samples/test.txtExample:
python analyzer.py samples/suspicious_file.exeAfter analysis, MalwareScope generates:
Terminal summary
JSON report
HTML reportReports are saved inside:
reports/
reports/html/To test the analyzer safely, create a harmless file with suspicious-looking strings:
echo "powershell cmd.exe http://example.com VirtualAlloc WriteProcessMemory" > samples/test.txtRun:
python analyzer.py samples/test.txtThis file is not malware. It is only used to test detection logic.
MalwareScope Analysis Report - test.txt
File Summary
File Name: test.txt
File Type: ASCII text
SHA256: 8f1c...
Risk Assessment
Score: 70/100
Verdict: High Risk
Reasons:
- Suspicious strings detected
- YARA matches detected
Full JSON report saved to: reports/<hash>.json
HTML report saved to: reports/html/<hash>.htmlMalwareScope generates a browser-friendly HTML report containing:
- Risk score
- Verdict
- File metadata
- Hashes
- YARA matches
- PE section information
- Suspicious strings
Open the report with:
xdg-open reports/html/*.htmlExample YARA rule used by MalwareScope:
rule Suspicious_Strings_Test
{
meta:
description = "Detects suspicious command and network strings"
author = "MalwareScope"
strings:
$cmd = "cmd.exe" nocase
$powershell = "powershell" nocase
$http = "http://" nocase
$virtualalloc = "VirtualAlloc" ascii wide
$writeprocessmemory = "WriteProcessMemory" ascii wide
condition:
any of them
}YARA rules are stored in:
rules/MalwareScope currently supports the following static analysis features:
The analyzer calculates:
MD5
SHA1
SHA256These hashes help identify files and compare them against threat intelligence databases.
The analyzer extracts readable ASCII strings from files and checks for suspicious indicators.
For Windows executable files, MalwareScope extracts:
Entry point
Image base
Machine type
Number of sections
Section names
Section raw size
Section virtual size
Section entropy
Imported DLLs
Imported functionsHigh entropy sections may indicate:
Packing
Compression
Encryption
ObfuscationHigh entropy alone does not confirm malware, but it is useful as a suspicious signal.
YARA rules allow MalwareScope to match known patterns and suspicious indicators inside files.
MalwareScope is primarily a static analyzer, but it is designed to work alongside an isolated Windows VM for safe dynamic analysis.
Recommended workflow:
1. Restore Windows VM to clean_state snapshot
2. Start packet capture on Kali
3. Open Procmon inside Windows VM
4. Open Process Explorer inside Windows VM
5. Take Regshot snapshot 1
6. Execute only safe or authorized test sample
7. Observe process, registry, file, and network behavior
8. Take Regshot snapshot 2
9. Compare registry changes
10. Save logs
11. Shut down VM
12. Restore clean_state snapshotPacket capture example:
sudo tcpdump -i vboxnet0 -w reports/vm_capture.pcapscreenshots are here:
screenshots/
├── terminal-output.png
├── html-report1.png
├── html-report-scrolled.png
├── procmon.png
├── test-malware.pngSuggested screenshots:
- Terminal output of MalwareScope analysis
- HTML report in browser
- VirtualBox host-only adapter configuration
- Windows VM clean snapshot
- Project folder structure
MalwareScope is a student cybersecurity project and does not replace professional malware analysis platforms.
Current limitations:
- It does not execute malware automatically
- It does not include full behavioral sandbox automation yet
- It does not perform memory forensics
- It does not unpack advanced packed malware
- It does not submit hashes to online threat intelligence APIs
- Heuristic scoring ay produce false positives
Planned improvements:
- Add PDF and Office macro analysis
- Add VirusTotal hash lookup integration
- Add Cuckoo/CAPE Sandbox integration
- Add INetSim-based fake internet environment
- Add SQLite database for analysis history
- Add web dashboard using Flask or FastAPI
- Add PDF report generation
- Add Sigma/Sysmon log parsing
- Add PCAP parsing with Scapy
- Add machine learning-based file classification
- Add Dockerized deployment for the analyzer
MalwareScope - Malware Analysis Sandbox
Developed a defensive malware-analysis sandbox using Python, YARA rules, PE metadata extraction, import table inspection, string analysis, file hashing, entropy checks, and heuristic risk scoring. Generated structured JSON and HTML reports and configured an isolated VirtualBox Windows VM with host-only networking and snapshot rollback for controlled dynamic analysis.
This project demonstrates practical knowledge of:
Malware Analysis
Static Analysis
YARA Rule Writing
Python Scripting
Windows PE Format
Hashing
Threat Indicators
VirtualBox Networking
Sandbox Isolation
Cybersecurity Reporting
Linux
Kali Linux
Windows Internals Basics
Digital Forensics BasicsThis project is created strictly for educational and defensive cybersecurity purposes.
Do not use this project to analyze, execute, distribute, modify, or deploy malware outside of a legal and controlled environment. Do not upload malware samples, sensitive files, private reports, or malicious code to public repositories.
The author is not responsible for misuse of this project.
This project is released for educational use. You may modify and improve it for learning, research, and defensive cybersecurity practice.
MIT License
Copyright (c) [2026] [Suspecting]
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "MalwareScope"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.