Compare static and dynamic malware analysis, including the strengths and limits of each.
Short answer
Static analysis examines a sample without executing it — hashes, strings, imports, headers, and disassembly — so it is safe and complete in coverage but defeated by packing and obfuscation. Dynamic analysis detonates the sample in an isolated sandbox and observes real behavior — files, registry, processes, network — which cuts through obfuscation but only reveals what runs in that session and can be evaded by sandbox-aware malware. Analysts combine both.
When a suspicious file lands, an analyst has two complementary lenses: study it at rest or watch it in action. Interviewers ask this to gauge whether you understand the trade-offs and would reach for the right technique — and know why neither alone is enough.
Static analysis — without running it
Static analysis inspects the file without execution, so it is safe. Basic static work pulls file hashes (to check threat-intel reputation), strings (URLs, IPs, registry keys, error messages), the PE/ELF header, and the import table (which APIs hint at capability — networking, crypto, process injection). Advanced static analysis means disassembly/decompilation (IDA, Ghidra) to read the code's logic. Its strength is coverage — you can see code paths that never executed. Its great weakness is packing and obfuscation: a packed binary reveals little until it unpacks itself at runtime.
Dynamic analysis — detonating it
Dynamic analysis runs the sample in an isolated sandbox (a VM with monitoring, snapshots, faked network) and records actual behavior: files written, registry/run-key changes, processes spawned, injection, and network callbacks (C2). It cuts straight through packing because the malware must unpack to run. Limits: you only see what executes in that session — behavior gated on a date, a specific target, or a C2 response stays hidden — and modern malware is sandbox-aware, checking for VM artifacts, low uptime, or absent user activity, and refusing to detonate.
Why this matters
The mature answer is both, iteratively: triage with quick static (hash, strings, imports), detonate dynamically for behavior, then return to disassembly to fill the gaps. Naming the strengths (static = full coverage but beaten by obfuscation; dynamic = real behavior but session-limited and evadable) shows you understand the workflow, not just the definitions.
Likely follow-ups
- Why does packing or obfuscation hurt static analysis more than dynamic?
- What tricks does sandbox-aware malware use to evade dynamic analysis?
- What basic static indicators would you pull from a sample first?