Leveraging the PE Rich Header for Static Malware Detection and Linking

An ever-increasing number of malware samples are identified and assessed daily. Malware researchers have the difficult mission of classifying and grouping these malware specimens. Defenders must not only judge if a file is malicious or benign, but also determine how a file may relate to other groupings of known samples. The static comparison of file and file-format based properties are often utilized to execute this objective at scale. This paper builds upon previously identified Windows' portable executable (PE) static comparison techniques through the exploration of the undocumented PE Rich header. The Rich header is a PE section that serves as a fingerprint of a Windows' executable's build environment. This under-utilized wealth of information can provide value to defenders in support of classifying and associating PE-based malware. This paper explores how to extract the details hidden in the Rich header and how they might be exploited to link and classify malware samples. In addition, this paper evaluates how the static linking of PE rich header sections compare to traditional static PE linking techniques.