analyzing-packed-malware-with-upx-unpacker

Installation
SKILL.md

Analyzing Packed Malware with UPX Unpacker

When to Use

  • Static analysis reveals high entropy sections and minimal imports indicating the binary is packed
  • PEiD, Detect It Easy, or PEStudio identifies UPX or another known packer
  • The import table contains only LoadLibrary and GetProcAddress (runtime import resolution typical of packed binaries)
  • You need to recover the original binary for proper disassembly and decompilation in Ghidra or IDA
  • Automated UPX decompression fails because the malware author modified UPX magic bytes or headers

Do not use when dealing with custom packers, VM-based protectors (Themida, VMProtect), or samples where dynamic unpacking via debugging is more appropriate.

Prerequisites

Installs
170
GitHub Stars
24.8K
First Seen
Mar 15, 2026
analyzing-packed-malware-with-upx-unpacker — mukul975/anthropic-cybersecurity-skills