barkinvar/malware-analysis

# Smart HTA & JAR File Analyser - Group 4 SEC530 Project 4. Tool that analyses .hta and .jar files in three stages: extract features, classify with static rules, then ask LLMs to classify and explain. ## Install Python 3.10+ and a JDK (for javap, used on jar files). We use a virtual env because newer macOS python is externally managed: python3 -m venv venv source venv/bin/activate pip install -r requirements.txt (if you don't use a venv, add --break-system-packages to pip) On macOS python-magic also needs libmagic: brew install libmagic If you don't install libmagic the tool still works, it just falls back to guessing the mime type from the extension. ## Dependencies - beautifulsoup4, lxml - parsing the html in hta files - python-magic - mime type - requests - downloading samples and calling the openrouter api - groq - Groq ## How to run Task 1 - extract features (single file or a whole folder): python task1_extractor.py dataset/malicious/somefile.hta python task1_extractor.py dataset/ Output goes to outputs/features/.json Task 2 - rule based detection: python task2_detector.py outputs/features/somefile.json python task2_detector.py outputs/features/ Output printed and saved to outputs/detections/ Task 3 - llm analysis: python task3_llm_analyser.py outputs/features/somefile.json Raw model responses saved under outputs/llm_responses/ ## API usage notes Task 3 uses OpenRouter, which gives one key access to many free models. We compare two different model families (GLM and Gemma). Put your key in a .env file in this folder (see .env.example), the scripts load it automatically: MB_AUTH_KEY=your-key OPENROUTER_API_KEY=your-key Get an OpenRouter key at https://openrouter.ai/keys. The free tier is 50 requests/day, so you can add a second key as OPENROUTER_API_KEY2 and task3 will switch to it when the first runs out. Don't submit your real .env, only .env.example. You can also just export the vars instead of using .env. To run the tests and the model comparison: python tests.py # functional tests -> outputs/test_results.txt python evaluate_llm.py # runs the 6-file llm comparison -> outputs/llm_responses/comparison.txt Both have free tiers with rate limits, so task3 only runs on the file you give it. You can override the models with OPENROUTER_MODEL / GROQ_MODEL env vars. The default openrouter model is a free deepseek model; groq uses llama-3.3-70b. (We originally tried Gemini but its free tier was only ~20 requests/day, so we switched to openrouter which gives access to several free models with better limits.) ## Dataset Malicious samples come from MalwareBazaar (https://bazaar.abuse.ch/). Get a free Auth-Key from https://auth.abuse.ch/ and: export MB_AUTH_KEY=... python fetch_malware.py Benign samples are generated: python make_benign.py The dataset is shipped as a password protected zip. Password is documented in the report.