Malware Triage

Focused skills. One thing, learned properly.

Learn to answer every question the IR team needs about a suspicious binary in 30 minutes — without opening a disassembler. Static properties, string analysis, sandbox execution, reputation lookup, and indicator extraction in a repeatable triage workflow.

Start Skill View Pricing

Content last updated: April 2026

Why take this course

For SOC analysts and IR practitioners who need to make triage decisions on suspicious files without waiting for reverse engineering. You finish able to extract indicators, identify malware families, and produce an IOC list that drives detection and containment — the sorting capability every DFIR team needs between "the EDR alerted" and "send it to the RE team."

What this skill teaches

Malware triage is the 30-minute assessment between "we found a suspicious file" and "here's what the IR team needs to know." It's not reverse engineering — you don't disassemble the binary, trace execution paths, or decode custom protocols. Triage extracts surface-level indicators from file properties, embedded strings, PE structure, sandbox behaviour, and reputation services. Those indicators feed containment decisions, YARA rules, network blocks, and the IR report.

Most practitioners either skip triage entirely (sending the file to a sandbox and waiting) or over-invest (spending hours in IDA Pro when 15 minutes with PEStudio would answer every question the SOC needs). This skill teaches the middle ground — methodical triage that's thorough enough for IR and fast enough for active incidents.

What you will be able to do

1. Examine a suspicious file's static properties — PE headers, section characteristics, imports, strings, embedded resources — and classify it as likely malware, likely benign, or needs further analysis within 15 minutes.

2. Use hash-based reputation lookups across VirusTotal, MalwareBazaar, and threat intelligence platforms to determine if the sample is known, what family it belongs to, and what prior analysis exists.

3. Execute samples safely in a sandbox (ANY.RUN, Triage, Joe Sandbox) and read the behavioural report: process creation, file system changes, registry modifications, network connections, and dropped files.

4. Extract actionable IOCs from both static and behavioural analysis: file hashes, C2 IPs/domains, mutex names, registry paths, dropped file names, user agents — packaged for immediate use by the IR team.

5. Write a triage report that answers the five questions every IR team needs: what is it, what does it do, how bad is it, what should we block, and do we need deeper analysis?

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 5 content sections + guided lab

Tier: Premium subscription

Prerequisites: Basic understanding of PE file format (if you've seen a file header in a hex editor, you have enough). The Practical IR course gives you the investigation context, and the YARA skill teaches how to turn triage findings into detection rules.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

Triage checklist: A step-by-step static + behavioural triage workflow you can execute against any suspicious file in under 30 minutes.

IOC extraction template: A structured format for packaging indicators from triage — ready to hand to the SOC for blocking or to the detection engineer for rule creation.

Triage report template: The 5-question report format that gives the IR team everything they need to make containment decisions without waiting for a full reverse engineering report.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Memory-resident malware analysis — see Applied Memory Forensics
YARA rule authoring — see YARA Rule Writing for DFIR

Sections

Five focused sections plus a guided triage lab. Every sample and report uses the Northgate Engineering investigation thread.

MT0.1

Static Triage: File Properties, Strings, and PE Analysis — File metadata, magic bytes, PE header analysis with PEStudio. Section names, entropy, imports, exports, resources, and manifest. Strings analysis: extracting C2 domains, mutex names, registry paths, error messages. Rich header, compile timestamp, and PDB path as attribution indicators. 10-minute static triage workflow.

MT0.2

Hashing, Reputation, and Threat Intel Lookup — MD5, SHA1, SHA256, imphash, ssdeep (fuzzy hash). VirusTotal: detection ratio, behavioural reports, community comments, relations graph. MalwareBazaar, Hybrid Analysis, and AlienVault OTX. OSINT enrichment: Shodan for C2 infrastructure, URLhaus for distribution URLs. When reputation says "clean" but the file is suspicious — what to do next.

MT0.3

Behavioural Triage: Sandbox Execution and Report Analysis — Submitting samples to ANY.RUN, Triage (Hatching), and Joe Sandbox. Reading the behavioural report: process tree, file system activity, registry changes, network connections, DNS queries, dropped files. What the sandbox misses: environment-aware malware, time-delayed execution, VM detection. Interpreting Suricata and YARA alerts from sandbox output.

MT0.4

Indicator Extraction and IOC Packaging — Extracting IOCs from static and behavioural analysis. File indicators: hashes, filename patterns, file sizes, PE characteristics. Network indicators: C2 IPs, domains, URIs, user agents, JA3/JA3S hashes. Host indicators: mutex names, registry paths, scheduled task names, service names, file paths. Packaging in STIX 2.1, OpenIOC, and CSV for SIEM import. Confidence levels for each indicator type.

MT0.5

Triage Reporting: Enough to Action, Not Enough to Publish — The 5-question triage report: What is it? What does it do? How bad is it? What should we block? Do we need deeper analysis? Writing for the IR team (actionable, specific, decisive) vs writing for threat intelligence (comprehensive, attributed, contextualised). When to stop triaging and escalate to a reverse engineer. Time-boxing: the 30-minute and 2-hour triage gates.

Lab

Guided Lab: Triage the INC-2026-0501 Beacon — You receive the SHA256 hash of the beacon recovered from NE-WS-042. Perform the complete triage workflow: static analysis of PE properties, reputation lookup across VirusTotal and MalwareBazaar, sandbox report analysis, IOC extraction, and triage report. Produce the 5-question report and an IOC package ready for the SOC to deploy as network and endpoint blocks.

Where triage fits in your workflow

Triage sits between evidence collection and deep analysis. During an IR engagement, you recover suspicious files from KAPE collections, memory dumps, or endpoint sweeps. Triage tells you what each file is and what it does — fast enough to inform containment decisions. The IOCs from triage feed into YARA rules (YARA skill), Sigma detections (Sigma skill), and network blocks.

What this skill is not

This is not a reverse engineering course. You will not use IDA Pro, Ghidra, x64dbg, or any disassembler. You will not trace execution paths, decode custom protocols, or write decompiler plugins. Those skills require months of dedicated study and are needed by malware analysts, not IR practitioners. This skill teaches the triage layer that 90% of practitioners need for 90% of incidents.