A Fast Metric for Preliminary Risk Assessment of Portable Executables Using Static Analysis
摘要
This paper introduces a lightweight, fast, and interpretable static analysis method for the preliminary risk assessment of Windows Portable Executable (PE) files. The proposed system combines three complementary techniques: entropy analysis to detect obfuscation, structural metadata inspection to identify anomalous PE characteristics, and YARA (Yet Another Ridiculous Acronym) rule matching for signature-based threat identification. A custom point-based scoring model, empirically derived from 1,000 benign PE files, assigns risk scores based on statistical deviations in header fields and matched threat patterns. The tool was validated on a balanced dataset of 1,000 PE samples (500 benign, 500 malicious), achieving 80% detection accuracy, an 8% improvement over the ClamAV static scanner, while maintaining perfect precision and significantly reduced analysis time. Its design emphasizes modularity, enabling seamless integration with other tools and supporting the broader trend toward explainable AI in cybersecurity.