Skip to content

Static analysis shows high entropy and almost no readable imports or strings — the sample looks packed. What do you do?

Short answer

Packing hides the real code, so high entropy plus stripped imports is a sign to unpack — detect the packer and dump the unpacked image from memory once the loader has executed, then analyze the real payload. Unreadable strings are evidence of evasion, not of being benign. Calling it a false positive or renaming the extension ignores an actively obfuscated sample. The obfuscation itself is a strong malicious indicator worth investigating.

This question separates analysts who understand evasion from those who stop at the first wall. High entropy and a near-empty import table aren't a dead end — they're a fingerprint of deliberate obfuscation, and a senior analyst reads them as a signal to dig in.

Why identifying and unpacking is correct

Packers compress or encrypt the real payload and leave only a small stub (the loader) visible to static tools. That's exactly why you see high entropy and no meaningful strings or imports — the actual code only materializes at runtime. The right move is to identify the packer (entropy patterns, section names, tools like a packer detector) and then recover the original code. For many packers the most reliable path is dynamic unpacking: run the loader in your isolated lab until it has decompressed the payload into memory, then dump the unpacked image and reconstruct the import table so it's analyzable. Now your static tools work on the real binary.

Why the other options are wrong

  • Conclude it's benign because you can't read strings. This inverts the evidence. Legitimate software is rarely packed to the point of stripping all imports; aggressive packing is far more common in malware. Unreadability is suspicious, not exculpatory.
  • Report it as a false positive. A false positive means the detection was wrong. Here the sample is actively hiding its behavior — that's the opposite of benign. Closing it lets a real threat through.
  • Rename the file extension and re-scan. The extension has nothing to do with the packed contents. You'd get the same result and waste time, while the obfuscated payload remains unexamined.

What interviewers look for

The senior signal is treating obfuscation as information: you recognize packing, distinguish commodity packers from custom protectors, and know that memory dumping after the loader runs beats fighting the stub statically. Bonus points for mentioning import reconstruction and anti-unpacking tricks. The judgment being probed is persistence — you don't accept "I can't read it" as an answer when the malware is clearly trying to make you give up.

Likely follow-ups

  • How do you tell a commodity packer (UPX) from a custom or commercial protector, and why does that change your approach?
  • Why is dumping from memory after the loader runs more reliable than static unpacking for many protectors?
  • After you have the unpacked image, how do you fix the import table so the dump is analyzable?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.