{
	"id": "816830e8-4c22-4924-a616-e758f815e558",
	"created_at": "2026-04-06T00:12:15.183288Z",
	"updated_at": "2026-04-10T13:12:30.597621Z",
	"deleted_at": null,
	"sha1_hash": "59425ad6dbc77b27ae006ab6189bc816f5b6c7d2",
	"title": "Explainer: Packed Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1203993,
	"plain_text": "Explainer: Packed Malware\r\nBy Shellseekerscyber\r\nPublished: 2024-01-07 · Archived: 2026-04-05 18:16:34 UTC\r\nWhat is Packed malware?\r\nPacked Malware is malicious code that uses compression or encryption to hide its malicious features. This\r\nexplainer will focus on compression.\r\nPacked malware requires the following 3 elements:\r\n1. The packed executable — the compressed/encrypted part that, when unpacked (decompressed, decrypted\r\nor both), carries out the malicious activity.\r\n2. The stub — the part that tells the victim host how to unpack the packed executable. Stub is often used\r\ninterchangably with the term wrapper.\r\n3. The packer — the program that the malware author uses to pack (compresses, encrypts or both) the\r\nmalware. This is not delivered to the victim.\r\nWhy pack malware?\r\nThe primary motivation to pack malware is to bypass security measures and make the malware more difficult to\r\nanalyze.\r\nIf we take a simple example of a compiled Hello, World! binary and compress it, we can see why packed malware\r\nis more likely to bypass security tools for two reasons:\r\nPacked malware has a different signature. When you pack malware, the compressed executable will have a\r\ndifferent hash from its unpacked equivalent. If this new hash has not been added to the signature library of an\r\nantivirus or EDR tool, there is a chance it will remain undetected. If our antivirus was looking for the hash of the\r\nmalicious file malware, ‘packing’ our compressed_malware has evaded this detection.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nPage 1 of 6\n\nSandbox tools are more likely to fail to analyze packed malware. More advanced security tools (most modern\r\nEDR platforms) use sandboxing techniques to detonate (run) unknown software, analyze its behaviour and then\r\nclassify it as malicious or benign. With more advanced packers, it is likely that the sandbox will be capable of\r\nworking out how to ‘unpack’ (decompress) the packed malware, and as such will not be able to detonate it.\r\nPress enter or click to view image in full size\r\nPacked malware tends to have a smaller file size. This tends to be the least important of these 3 reasons, but is a\r\nwelcome consequence of packing malware. Like normal file compression, packing reduces the filesize of the\r\nmalware, which makes it easier to deliver to the victim.\r\nPress enter or click to view image in full size\r\nThis demonstration is not realistic. However, even simply compressing this file exemplifies some of the\r\nadvantages of packing malware.\r\nWhat does packed malware look like?\r\nTo write packed malware, authors write a malicious program, then ‘pack’ it with a stub which instructs the\r\nvictim’s host on how to unpack the malware so it can be run. When the packed malware executes on the victim\r\nhost, the host interprets the stub, which unpacks the malicious executable. That unpacked executable is then able\r\nto run its malicious instructions.\r\nThe stub itself is not packed (compressed or encrypted) — if it was, the victim host would not not be able to\r\nunderstand how to unpack the malicious program that will then be executed.\r\nhttps://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nPage 2 of 6\n\nDiagrom showing the general structure of unpacked (R) vs packed (L) malware. Here, the term\r\nwrapper is used instead of stub. Source: Page 13 of Practical Malware Analysis, Sikorski and Honig\r\nSimplifying the concept\r\nA helpful analogy might be furniture: you can buy a fully-assembled table from a shop that you can take home,\r\nput in your kitchen and use immediately. Alternatively, you can buy IKEA flat-pack furniture. The IKEA box\r\narrives with 2 components in the box, the flat-pack furniture and the instructions.\r\nGet Shellseekerscyber’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe flat-pack table does not look like a table or perform the function of a table until it is assembled using the\r\ninstructions (for this analogy to work, you also have to pretend that you use the instructions when assembling\r\nIKEA furniture… bear with me).\r\nWhat is the packer?\r\nThe packer is the program that compresses or encrypts the packed executable. The most common packer is UPX\r\n(Ultimate Packer for eXecutables) — an open source tool.\r\nPacking can be as complex or as simple as the malware author chooses. Below we see an example of UPX being\r\nused to pack a binary. Keep in mind, UPX packs binaries with a stub by default, so unlike our example with GZip\r\nearlier, the UPX-packed binary will still run, because the stub instructs the operating system on how to unpack the\r\nbinary.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nPage 3 of 6\n\nHere, unpacked malware is run, then packed, showing the drop in file size due to compression.\r\nHowever, since UPX includes a stub in packed_malware, the operating system is still able to\r\nexecute the malware.\r\nHow does the stub work?\r\nThe decompression stub is typically located at the beginning of the packed executable. It is a relatively small\r\nportion of code, often just a few hundred bytes in size.\r\nDuring runtime, the decompression stub executes its instructions to locate and decompress the compressed\r\nsections within the packed file.\r\nSome decompression stubs include anti-analysis techniques to impede dynamic analysis tools and sandboxes.\r\nThese techniques might include checks for virtualized environments or delays in unpacking to make automated\r\nsandbox analysis more challenging.\r\nSome advanced decompression stubs may possess polymorphic capabilities. This means they can generate\r\ndifferent instances of themselves dynamically, making it more difficult for static signature-based detection\r\nmechanisms to identify the decompression stub itself.\r\nHow can you analyze packed malware?\r\nFundamentally, the challenge is in identifying the method used to pack the malware. However, it should be noted\r\nthat this is an enormous topic in and of itself, and this write-up only attempts to outline the processes without\r\ngoing into any meaningful detail.\r\nhttps://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nPage 4 of 6\n\nFirstly, the analyst must identify packing signatures. This can be using a tool such as PEiD (PE iDentifier) that can\r\nbe used to identify packers, cryptors, and compilers used in PE (Portable Executable) files.\r\nFinally, the analyst must actually unpack the malware. This could be as simple as using:\r\nupx -d packed_malware.exe\r\nHowever, more advanced malware is likely to use custom or obfuscated packing techniques, making it difficult for\r\nthe analyst to identify any packing signatures.\r\nSummary\r\nThe article explains packed malware, a malicious code that hides its features through compression or encryption.\r\nIt consists of three elements: the packed executable, the stub (or wrapper), and the packer. The main purpose of\r\npacking malware is to bypass security measures and complicate analysis by changing signatures and reducing file\r\nsize. It should be noted that this article has examined the surface level of this extremely deep topic.\r\nPress enter or click to view image in full size\r\nA picture of a laptop. Fascinating stuff. Photo by Philipp Katzenberger on Unsplash\r\nReferences\r\nMichael Sikorski and Andrew Honig. 2012. Practical Malware Analysis: The Hands-On Guide to Dissecting\r\nMalicious Software (1st. ed.). No Starch Press, USA.\r\nhttps://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nPage 5 of 6\n\nSource: https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nhttps://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035"
	],
	"report_names": [
		"explainer-packed-malware-16f09cc75035"
	],
	"threat_actors": [],
	"ts_created_at": 1775434335,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59425ad6dbc77b27ae006ab6189bc816f5b6c7d2.pdf",
		"text": "https://archive.orkl.eu/59425ad6dbc77b27ae006ab6189bc816f5b6c7d2.txt",
		"img": "https://archive.orkl.eu/59425ad6dbc77b27ae006ab6189bc816f5b6c7d2.jpg"
	}
}