pith. sign in

arxiv: 2605.25923 · v2 · pith:CJOKMD2Dnew · submitted 2026-05-25 · 💻 cs.CR

Semantic Validation of Packer Identification Tools: Characterization, Repair, and Downstream Impact

Pith reviewed 2026-06-29 21:24 UTC · model grok-4.3

classification 💻 cs.CR
keywords packer identificationsemantic validationunpackersmalware analysistool repairsemantic bugsmalware classificationexecutable contracts
0
0 comments X

The pith

Unpackers serve as automatic oracles to validate and repair packer identification tools, improving coverage by up to 58.6% and malware classification by over 13.6%.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper introduces a framework that treats unpackers as executable semantic contracts for validating packer identification tools. Instead of relying on manual labels, it checks whether a predicted packer allows the corresponding unpacker to recover usable program content. The authors apply this to eleven open-source tools and six VirusTotal tools, uncovering recurring semantic bugs from incomplete signatures and unstable heuristics. After repairs based on the detected faults, identification coverage rises substantially and downstream classification accuracy increases.

Core claim

Packer identification tools can be tested for semantic correctness by using the corresponding unpacker as an executable contract: a correct prediction should enable the unpacker to produce analyzable content. This oracle allows systematic detection, localization, and repair of semantic faults without ground truth. Empirical evaluation on multiple tools shows that such faults are common, and fixing them yields large gains in identification coverage and in the performance of malware classifiers that depend on accurate packer labels.

What carries the argument

The unpacker serving as an executable semantic contract, which automatically verifies if a packer prediction is correct by attempting to unpack the sample.

Load-bearing premise

Unpackers reliably succeed only on correctly identified packers and fail otherwise, providing a trustworthy test oracle.

What would settle it

Finding even one case where a wrong packer prediction allows successful unpacking by its unpacker, or a correct prediction fails to unpack.

Figures

Figures reproduced from arXiv: 2605.25923 by Fangtian Zhong, Jiaqi Huang, Mengfei Ren, Xiuzhen Cheng, Yili Jiang, Yunming Pang, Zhuoyun Qian.

Figure 1
Figure 1. Figure 1: An output example of packer identification tools [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overall workflow of our ground-truth-guided testing framework [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Packer Family Identification Performance on PE32 binaries, PE64 binaries and Combined [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Packedness Identification Performance on PE32 binaries, PE64 binaries and Combined [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: VisUnpac Feature Data Distributions is concentrated in a small set of categories, including pua.playtech, trojan.fareit, trojan.cobaltstrike, trojan.rozena, trojan.toolbar, tro￾jan.swisyn, trojan.wacapew, and trojan.xpack. Before the fixes, sev￾eral of these categories exhibit substantial errors, with precision as low as 36.8% for pua.playtech, 37.5% for trojan.fareit, 44.4% for tro￾jan.cobaltstrike, 48.7%… view at source ↗
read the original abstract

Packer identification tools are a critical foundation of malware analysis, directly affecting unpacking, behavioral analysis, malware classification, and threat attribution. However, their semantic correctness is rarely validated. In practice, a tool may return a plausible packer label that is nevertheless semantically wrong, leading to failed unpacking and unreliable downstream analysis. This paper presents a semantic validation framework for testing and repairing packer identification tools. Our key idea is to use unpackers as executable semantic contracts. If a tool predicts a packer family, the corresponding unpacker should recover analyzable program content. This enables automatic test oracles without requiring manually labeled ground truth. Building on this idea, we develop a systematic pipeline for detecting, localizing, and repairing semantic faults in existing packer identification tools. We then conduct the first large-scale empirical study of semantic bugs in eleven open-source packer identification tools and six proprietary VirusTotal tools. Our results reveal that semantic bugs are widespread and recurring, largely due to incomplete signatures and unstable heuristic logic. After repair, packer identification coverage improves by up to 58.6%, and downstream malware classification performance improves by more than 13.6% on average. These findings show that semantic validation of packer identification tools is essential for building trustworthy malware analysis pipelines.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that packer identification tools contain widespread semantic bugs (due to incomplete signatures and unstable heuristics) that can be automatically detected, localized, and repaired by treating unpackers as executable semantic contracts: a predicted packer family is deemed correct iff the matching unpacker recovers analyzable content. This oracle enables validation without manual ground truth. The authors apply the resulting pipeline to 11 open-source tools and 6 VirusTotal tools, report that semantic bugs are common, and claim that post-repair coverage improves by up to 58.6 % while downstream malware classification improves by more than 13.6 % on average.

Significance. If the unpacker-oracle assumption holds, the work would be significant: it supplies the first large-scale, automatic method for semantic (rather than syntactic) validation of packer detectors and demonstrates measurable downstream gains in a critical malware-analysis pipeline. The scale of the study across both open-source and proprietary tools is a clear strength. However, the central results rest on an unvalidated oracle whose reliability is not demonstrated in the manuscript.

major comments (2)
  1. [Abstract; Semantic Validation Framework section] The central claim that unpackers constitute reliable semantic oracles (a packer prediction is correct iff the corresponding unpacker succeeds) is load-bearing for every reported bug count, repair, and performance gain. No experiment is described that tests whether unpackers can succeed on an incorrect packer label or fail on a correct one, nor is there evidence that every packer family possesses a faithful unpacker. This assumption is stated in the abstract and developed in the semantic-validation framework section but is never empirically checked.
  2. [Empirical study / Results section (where the 58.6 % and 13.6 % figures appear)] The reported quantitative gains (58.6 % coverage improvement, >13.6 % downstream classification improvement) are presented without any description of sample selection criteria, number of binaries, error-bar computation, or controls for unpacker failure modes. Because the oracle itself is unvalidated, these numbers cannot be interpreted as evidence of improved semantic correctness rather than simply more samples being passed to the unpacker.
minor comments (2)
  1. [Framework section] Notation for packer families, unpacker success criteria, and “analyzable content” is introduced without a consolidated table or formal definition, making it difficult to replicate the oracle predicate.
  2. [Limitations / Discussion] The manuscript does not discuss how the approach handles packers that have no corresponding unpacker or unpackers that are themselves buggy; this edge case should be stated explicitly.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. The two major comments identify important gaps in the presentation and validation of the oracle assumption. We address each below and commit to revisions that strengthen the manuscript without altering its core claims.

read point-by-point responses
  1. Referee: [Abstract; Semantic Validation Framework section] The central claim that unpackers constitute reliable semantic oracles (a packer prediction is correct iff the corresponding unpacker succeeds) is load-bearing for every reported bug count, repair, and performance gain. No experiment is described that tests whether unpackers can succeed on an incorrect packer label or fail on a correct one, nor is there evidence that every packer family possesses a faithful unpacker. This assumption is stated in the abstract and developed in the semantic-validation framework section but is never empirically checked.

    Authors: We agree that the manuscript presents the unpacker-oracle as a definitional contract without a dedicated ground-truth experiment that would measure false-positive or false-negative rates of the oracle itself. The framework section motivates the approach via the executable-contract property and the empirical study reports downstream effects, but no separate validation set with manually confirmed packer labels is used to quantify oracle error. In revision we will add a new subsection that (a) enumerates known unpacker failure modes, (b) reports results on a small manually inspected subset of samples where packer labels were cross-checked against multiple sources, and (c) discusses the practical difficulty of obtaining comprehensive ground truth. These additions will make the assumption's scope explicit while preserving the original large-scale results. revision: partial

  2. Referee: [Empirical study / Results section (where the 58.6 % and 13.6 % figures appear)] The reported quantitative gains (58.6 % coverage improvement, >13.6 % downstream classification improvement) are presented without any description of sample selection criteria, number of binaries, error-bar computation, or controls for unpacker failure modes. Because the oracle itself is unvalidated, these numbers cannot be interpreted as evidence of improved semantic correctness rather than simply more samples being passed to the unpacker.

    Authors: The Empirical Study section does specify the corpus (binaries collected from public malware repositories and VirusTotal submissions, filtered for diversity across known packer families and file types) and states the total number of samples processed. However, the referee is correct that explicit sample-selection criteria, per-family counts, error-bar computation, and explicit controls for unpacker failures independent of the predicted label are not detailed. We will expand the section to include these elements: a table of sample counts per packer family, standard deviations across repeated runs, and an analysis of unpacker failure cases that occur even when the label is held constant. The reported gains remain relative improvements measured on identical input sets before and after repair; the added controls will clarify that the measured lift is not merely an artifact of feeding more samples to unpackers. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical measurements are independent of inputs

full rationale

The paper's central results consist of measured improvements in packer identification coverage (up to 58.6%) and downstream classification accuracy (more than 13.6%) obtained by applying a repair pipeline to eleven open-source and six VirusTotal tools. These quantities are obtained from direct experimental runs on malware samples and are not derived from any equations, fitted parameters, or self-citations that reduce the reported gains to quantities defined by the same inputs. The use of unpackers as oracles is an explicit methodological assumption rather than a self-definitional loop, and no load-bearing step in the provided text collapses a prediction or uniqueness claim back onto the paper's own fitted values or prior self-citations.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The approach rests on one central domain assumption about unpackers serving as oracles; no free parameters or invented entities are introduced in the abstract.

axioms (1)
  • domain assumption Unpackers can serve as executable semantic contracts that automatically validate packer predictions without manually labeled ground truth.
    This premise is invoked as the key idea enabling the entire validation pipeline and is stated without further justification or evidence in the abstract.

pith-pipeline@v0.9.1-grok · 5770 in / 1244 out tokens · 29007 ms · 2026-06-29T21:24:42.228695+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

79 extracted references · 5 canonical work pages

  1. [1]

    The Americas

    Francis Adkins, Luke Jones, Martin Carlisle, and Jason Upchurch. 2013. Heuristic malware detection via basic block comparison. In2013 8th International Conference on Malicious and Unwanted Software:" The Americas"(MALW ARE). IEEE, 11–18

  2. [2]

    Saadaldeen Rashid Ahmed, Salah J Mohamed, Mohammed S Aljanabi, Sameer Al- gburi, Duaa A Majeed, Neesrin Ali Kurdi, Mohammed Al-Sarem, and Jamal Fadhil Tawfeq. 2024. A Novel Approach to Malware Detection using Machine Learn- ing and Image Processing. InProceedings of the Cognitive Models and Artificial Intelligence Conference. 298–302

  3. [3]

    aldeid. 2018. Category: Digital-Forensics/Computer-Forensics/Anti-Reverse- Engineering/Packers/WinUpack. https://www.aldeid.com/wiki/Category:Digital- Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/WinUpack. Last edited March 7, 2018. Accessed March 26, 2026

  4. [4]

    ASPack Software. 2020. ASPack Downloads. http://www.aspack.com/downloads. html. Accessed: 2026-03-22

  5. [5]

    attilamester. 2025. UniPacker: Automatic and Platform-Independent Unpacker for Windows Binaries Based on Emulation. https://github.com/unipacker/unipacker. GitHub repository, accessed Mar. 24, 2026

  6. [6]

    Munkhbayar Bat-Erdene, Hyundo Park, Hongzhe Li, Heejo Lee, and Mahn-Soo Choi. 2017. Entropy analysis to classify unknown packing algorithms for malware detection.International Journal of Information Security16, 3 (2017), 227–248

  7. [7]

    Ikram Ben Abdel Ouahab, Mohammed Bouhorma, Anouar Abdelhakim Boudhir, and Lotfi El Aachak. 2020. Classification of Grayscale Malware Images Using the K-Nearest Neighbor Algorithm. InInnovations in Smart Cities Applications Edition 3, Mohamed Ben Ahmed, Anouar Abdelhakim Boudhir, Domingos San- tos, Mohamed El Aroussi, and İsmail Rakıp Karas (Eds.). Springe...

  8. [8]

    Vivek Bhardwaj, Vinay Kukreja, Chetan Sharma, Isha Kansal, and Renu Popali

  9. [9]

    In2021 international conference on advances in computing, communication, and control (ICAC3)

    Reverse engineering-a method for analyzing malicious code behavior. In2021 international conference on advances in computing, communication, and control (ICAC3). IEEE, 1–5

  10. [10]

    Fabrizio Biondi, Michael A Enescu, Thomas Given-Wilson, Axel Legay, Lamine Noureddine, and Vivek Verma. 2019. Effective, efficient, and robust packing detection and classification.Computers & Security85 (2019), 436–451

  11. [11]

    Alexandre Borges. 2026. Manalyze: A static analyzer for PE executables. https: //github.com/JusticeRage/Manalyze. GitHub repository, accessed March 14, 2026

  12. [12]

    cg10036. [n. d.]. Themida Unpacker for .NET. https://github.com/cg10036/ Themida-Unpacker-for-.NET. GitHub repository, accessed Mar. 25, 2026

  13. [13]

    Jinrong Chen. 2020. A malware classification method based on basic block and CNN. InNeural Information Processing: 27th International Conference, ICONIP 2020, Bangkok, Thailand, November 18–22, 2020, Proceedings, Part IV 27. Springer, 275–283

  14. [14]

    Jeremy Collake. 2017. PECompact – Windows (PE) Executable Compressor. https://bitsum.com/portfolio/pecompact/. Accessed: 2026-03-26

  15. [15]

    crackinglandia. [n. d.]. fuu: A Tool for Unpacking or Analyzing Packed Executa- bles. https://github.com/crackinglandia/fuu. GitHub repository, accessed Mar. 25, 2026

  16. [16]

    Zhihua Cui, Fei Xue, Xingjuan Cai, Yang Cao, Gai-ge Wang, and Jinjun Chen. 2018. Detection of Malicious Code Variants Based on Deep Learning.IEEE Transactions on Industrial Informatics14, 7 (2018), 3187–3196. doi:10.1109/TII.2018.2822680

  17. [17]

    CYB3RMX. 2026. Qu1cksc0pe. https://github.com/CYB3RMX/Qu1cksc0pe. GitHub repository. Accessed: 2026-03-14

  18. [18]

    Gordon Darroch. 2026. How it works.VirusTotal(2026). https://docs.virustotal. com/docs/how-it-works

  19. [19]

    Un4seen Developments. [n. d.]. Win32 Executable Compressor. https://www. un4seen.com/petite/. Accessed: 2026-03-26

  20. [20]

    Marco Di Gennaro, Mario D’Onghia, Mario Polino, Stefano Zanero, and Michele Carminati. 2025. PackHero: A Scalable Graph-based Approach for Efficient Packer Identification. InInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 253–274

  21. [21]

    Evan Downing, Yisroel Mirsky, Kyuhong Park, and Wenke Lee. 2021. {DeepReflect}: Discovering malicious functionality through binary reconstruc- tion. In30th USENIX security symposium (USENIX Security 21). 3469–3486

  22. [22]

    Exeinfo ASL. 2026. ASL. https://github.com/ExeinfoASL/ASL/tree/master. GitHub repository. Accessed: 2026-03-14

  23. [23]

    extremecoders-re. [n. d.]. PyInstaller Extractor. https://github.com/ extremecoders-re/pyinstxtractor. GitHub repository, accessed Mar. 24, 2026

  24. [24]

    fatrolls. [n. d.]. Quick-Unpack: A Fast Tool for Unpacking Executables. https: //github.com/fatrolls/Quick-Unpack. GitHub repository, accessed Mar. 25, 2026

  25. [25]

    and Koh M

    FFRI Security, Inc. and Koh M. Nakagawa. [n. d.]. pypeid: Yet another imple- mentation of PEiD with yara-python. https://github.com/FFRI/pypeid. GitHub repository, accessed March 14, 2026

  26. [26]

    Fraunhofer FKIE. [n. d.]. Malpedia is a free service offered by Fraunhofer FKIE. https://malpedia.caad.fkie.fraunhofer.de/. Accessed: 2026-03-26

  27. [27]

    Nguyen Minh Hai, Mizuhito Ogawa, and Quan Thanh Tho. 2017. Packer identifi- cation based on metadata signature. InProceedings of the 7th software security, protection, and reverse engineering/software security and protection workshop. 1– 11

  28. [28]

    Seungwon Han, Keungi Lee, and Sangjin Lee. 2009. Packed PE file detection for malware forensics. In2009 2nd International Conference on Computer Science and Its Applications, CSA 2009. 5404211

  29. [29]

    hasherezade. [n. d.]. mal_unpack: Dynamic Unpacker Based on PE-sieve. https: //github.com/hasherezade/mal_unpack. GitHub repository, accessed Mar. 25, 2026

  30. [30]

    horsicq. 2026. Detect It Easy (DiE). https://github.com/horsicq/Detect-It-Easy. GitHub repository. Accessed: Feb. 21, 2026

  31. [31]

    Ice3man543. [n. d.]. MalScan. https://github.com/Ice3man543/MalScan. GitHub repository, accessed March 18, 2026

  32. [32]

    Kesav Kancherla, John Donahue, and Srinivas Mukkamala. 2016. Packer iden- tification using Byte plot and Markov plot.Journal of Computer Virology and Hacking Techniques12, 2 (2016), 101–111

  33. [33]

    Kanxue. [n. d.]. Kanxue Tool. https://tool.kanxue.com/. Accessed Mar. 24, 2026

  34. [34]

    Jiliang Li, Yifan Zhang, Yu Huang, and Kevin Leach. 2025. Malmixer: Few-shot malware classification with retrieval-augmented semi-supervised learning. In 2025 IEEE 10th European Symposium on Security and Privacy (EuroS&P). IEEE, 268–288

  35. [35]

    Xingwei Li, Zheng Shan, Fudong Liu, Yihang Chen, and Yifan Hou. 2019. A consistently-executing graph-based approach for malware packer identification. IEEE Access7 (2019), 51620–51629

  36. [36]

    Yajun Liu, Hong Fan, Jianguang Zhao, Jianfang Zhang, and Xinxin Yin. 2024. Efficient and generalized image-based CNN algorithm for multi-class malware detection.IEEE Access(2024)

  37. [37]

    Ya-shu Liu, Yu-Kun Lai, Zhi-Hai Wang, and Han-Bing Yan. 2019. A new learning approach to malware classification using discriminative feature extraction.IEEE Access7 (2019), 13015–13023

  38. [38]

    Robert Lyda and James Hamrock. 2007. Using entropy analysis to find encrypted and packed malware.IEEE security & privacy5, 2 (2007), 40–45

  39. [39]

    Nahid Maleki, Mehdi Bateni, and Hamid Rastegari. 2019. An improved method for packed malware detection using PE header and section table information. International Journal of Computer Network and Information Security9, 9 (2019), 9

  40. [40]

    mentebinaria. 2026. ReadPE: Portable Executable File Reader. https://github.com/ mentebinaria/readpe. GitHub repository. Accessed: Feb. 21, 2026

  41. [41]

    Nataraj, S

    L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath. 2011. Malware images: visualization and automatic classification. InProceedings of the 8th International Symposium on Visualization for Cyber Security (VizSec ’11). As- sociation for Computing Machinery, New York, NY, USA, Article 4, 7 pages. doi:10.1145/2016904.2016908

  42. [42]

    Oberhumer, László Molnár, and John F

    Markus F.X.J. Oberhumer, László Molnár, and John F. Reiser. [n. d.]. the Ultimate Packer for eXecutables. https://upx.github.io/. Accessed: 2024-12-30

  43. [43]

    orcastor. [n. d.]. unpack: An Unpacking Tool for PE Binaries. https://github.com/ orcastor/unpack. GitHub repository, accessed Mar. 24, 2026

  44. [44]

    Oreans Technologies. [n. d.]. Themida Protector. https://www.oreans.com/ Themida.php. Accessed: 2026-03-22

  45. [45]

    Kevin O’Reilly and CAPEv2 contributors. 2026. CAPEv2: Malware Configura- tion and Payload Extraction. https://github.com/kevoreilly/CAPEv2. GitHub repository, accessed May 25, 2026

  46. [46]

    packing-box. [n. d.]. pypackerdetect: Packing detection tool for PE files. https:// github.com/packing-box/pypackerdetect?tab=readme-ov-file. GitHub repository, accessed March 14, 2026

  47. [47]

    packing-box. 2026. Awesome Executable Packing. https://github.com/packing- box/awesome-executable-packing GitHub repository, accessed Mar. 24, 2026

  48. [48]

    packing-box. 2026. PEiD: Portable Executable Identifier. https://github.com/ packing-box/peid. GitHub repository. Accessed: Feb. 21, 2026

  49. [49]

    Marco Pontello. [n. d.]. TrID - File Identifier. https://mark0.net/soft-trid-e.html. Accessed: 2026-03-14

  50. [50]

    PyInstaller Development Team. [n. d.]. PyInstaller Manual. https://pyinstaller. org/en/stable/. Version 6.19.0, accessed: 2026-03-22

  51. [51]

    Yitong Ren, Yanjun Xiao, Yinghai Zhou, Zhiyong Zhang, and Zhihong Tian. 2022. CSKG4APT: A cybersecurity knowledge graph for advanced persistent threat organization attribution.IEEE Transactions on Knowledge and Data Engineering 35, 6 (2022), 5695–5709

  52. [52]

    Moustafa Saleh, E Paul Ratazzi, and Shouhuai Xu. 2017. A control flow graph- based signature for packer identification. InMILCOM 2017-2017 IEEE Military Communications Conference (MILCOM). IEEE, 683–688

  53. [53]

    Joshua Saxe and Konstantin Berlin. 2015. Deep neural network based malware detection using two dimensional binary program features. In2015 10th Inter- national Conference on Malicious and Unwanted Software (MALW ARE). 11–20. doi:10.1109/MALWARE.2015.7413680

  54. [54]

    SecurityXploded. [n. d.]. PESpin Plugin for ImpREC. https://securityxploded. com/pespinplugin.php. Accessed: 2026-03-26

  55. [55]

    Softpedia. 2004. MEW - Download - Softpedia. https://www.softpedia.com/get/ Programming/Packers-Crypters-Protectors/MEW-SE.shtml. Accessed: 2026-03- 22. IEEE, 2026, Trovato et al

  56. [56]

    MATCODE Software. [n. d.]. MPRESS is a free, high-performance executable packer for PE32/PE32+/.NET/MAC-DARWIN executable formats! https://www. autohotkey.com/mpress/mpress_web.htm. Accessed: 2026-03-26

  57. [57]

    Jon Stephens, Babak Yadegari, Christian Collberg, Saumya Debray, and Carlos Scheidegger. 2018. Probabilistic obfuscation through covert channels. In2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 243–257

  58. [58]

    Alexey Sudachén. [n. d.]. Molebox Virtualization. https://sudachen.github.io/ Molebox/. Official website, accessed: 2026-03-22

  59. [59]

    Li Sun, Steven Versteeg, Serdar Boztaş, and Trevor Yann. 2010. Pattern recognition techniques for the classification of malware packers. InAustralasian Conference on Information Security and Privacy. Springer, 370–390

  60. [60]

    Threat Intelligence Team. 2025. Revisiting the NSIS-based crypter . https:// www.threatdown.com/blog/revisiting-the-nsis-based-crypter/. Accessed: July 17, 2025

  61. [61]

    Top4Download.com. [n. d.]. PEiD screenshot. https://www.top4download.com/ peid-tab/screenshot-gaqrbxek.html. Accessed: 2026-03-18

  62. [62]

    Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, and Pablo G Bringas

  63. [63]

    In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

    Rambo: Run-time packer analysis with multiple branch observation. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 186–206

  64. [64]

    Susana M Vieira, Uzay Kaymak, and João MC Sousa. 2010. Cohen’s kappa coeffi- cient as a performance measure for feature selection. InInternational conference on fuzzy systems. IEEE, 1–8

  65. [65]

    VirusShare. [n. d.]. VirusShare: A Repository of Malware Samples. https:// virusshare.com/. Accessed Feb. 7, 2026

  66. [66]

    wolfram77web. 2026. app-peid. https://github.com/wolfram77web/app-peid. GitHub repository. Accessed: 2026-03-14

  67. [67]

    Peng Wu, Mohan Gao, Fuhui Sun, Xiaoyan Wang, and Li Pan. 2025. Multi- perspective API call sequence behavior analysis and fusion for malware classifi- cation.Computers & Security148 (2025), 104177

  68. [68]

    XenocodeRCE. 2017. ConfuserEx-Unpacker: A Dynamic Unpacker for ConfuserEx-Protected Binaries. https://github.com/XenocodeRCE/ConfuserEx- Unpacker. GitHub repository, accessed Mar. 25, 2026

  69. [69]

    Hiromu Yakura, Shinnosuke Shinozaki, Reon Nishimura, Yoshihiro Oyama, and Jun Sakuma. 2018. Malware analysis of imaged binary samples by convolutional neural network with attention mechanism. InProceedings of the Eighth ACM Conference on Data and Application Security and Privacy. 127–134

  70. [70]

    yck1509. 2015. ConfuserEx. https://github.com/yck1509/ConfuserEx. GitHub repository, archived Jan. 27, 2019; accessed Mar. 26, 2026

  71. [71]

    Yt-trium. [n. d.]. PKLITE-1.12-data-unpacker. https://github.com/Yt-trium/ PKLITE-1.12-data-unpacker. GitHub repository, accessed Mar. 24, 2026

  72. [72]

    Baoguo Yuan, Junfeng Wang, Dong Liu, Wen Guo, Peng Wu, and Xuhua Bao. 2020. Byte-level malware classification based on markov images and deep learning. Computers & Security92 (2020), 101740. doi:10.1016/j.cose.2020.101740

  73. [73]

    Huan Zhang, Lixin Zhao, Aimin Yu, Lijun Cai, and Dan Meng. 2024. Ranker: Early ransomware detection through kernel-level behavioral analysis.IEEE Transactions on Information Forensics and Security19 (2024), 6113–6127

  74. [74]

    Jixin Zhang, Kehuan Zhang, Zheng Qin, Hui Yin, and Qixin Wu. 2018. Sensitive system calls based packed malware variants detection using principal component initialized MultiLayers neural networks.Cybersecurity1, 1 (2018), 10

  75. [75]

    Zilin Zhao, Dawei Zhao, Shumian Yang, and Lijuan Xu. 2023. Image-Based Malware Classification Method with the AlexNet Convolutional Neural Network Model.Security and Communication Networks2023, 1 (2023), 6390023

  76. [76]

    Tao Zheng, Qiyu Hou, Xingshu Chen, Hao Ren, Meng Li, Hongwei Li, and Changxiang Shen. 2025. Gupacker: Generalized Unpacking Framework for An- droid Malware.IEEE Transactions on Information Forensics and Security(2025)

  77. [77]

    Fangtian Zhong, Zekai Chen, Minghui Xu, Guoming Zhang, Dongxiao Yu, and Xiuzhen Cheng. 2023. Malware-on-the-Brain: Illuminating Malware Byte Codes With Images for Malware Classification.IEEE Trans. Comput.72, 2 (2023), 438–451. doi:10.1109/TC.2022.3160357

  78. [78]

    Fangtian Zhong, Qin Hu, Yili Jiang, Jiaqi Huang, and Xiuzhen Cheng. 2025. Un- veiling Malware Visual Patterns: A Self-Analysis Perspective.IEEE Transactions on Information Forensics and Security(2025)

  79. [79]

    Fangtian Zhong, Qin Hu, Yili Jiang, Jiaqi Huang, Cheng Zhang, and Dinghao Wu. 2024. Enhancing malware classification via self-similarity techniques.IEEE Transactions on Information Forensics and Security(2024)