Hex Header Inspection for Malware Triage — Analyst Workflow

Using the Hex Inspector for Malware File Triage

Before detonating a suspicious file in a sandbox, experienced analysts spend two minutes reading its binary header. The first 64 bytes of a Windows PE file encode the MZ stub, PE signature offset, machine type, and import table hints — all visible in a hex dump. A packed binary shows nearly random bytes where strings should be, betraying a packer or cryptor. Browser-native hex inspection makes this first-pass triage possible without installing tooling on the investigation host.

How to using the hex inspector for malware file triage

Step 1
Drop the suspicious file — Drag the quarantined file into the inspector. No execution occurs — bytes are read into memory only.
Step 2
Check offset 0 and 0x3C — MZ at offset 0 confirms a Windows PE. Read the DWORD at offset 0x3C — that value is the PE header offset. Navigate there to verify the PE signature (50 45 00 00).
Step 3
Assess entropy visually — If the bytes between the PE header and the section table look random (no readable strings, no null padding), the file is packed. Combine with the Entropy Analyzer for quantitative confirmation.

Frequently asked questions

Can I inspect a file larger than 8KB?+

The inspector reads the first 8KB (Developer tier). PE headers are complete within the first 4KB in virtually all cases. For full-file analysis, use a local tool like CFF Explorer or radare2.

Does this replace a disassembler?+

No. Hex inspection gives you raw bytes and ASCII. Disassembly (IDA Pro, Ghidra) decodes machine instructions. Use hex inspection for triage; use a disassembler for deep analysis.

Can I identify the compiler from the hex header?+

Sometimes. MSVC PE binaries often show Rich Header signatures between offset 0x80 and the PE header. GCC/MinGW binaries lack the Rich Header. These patterns are visible in the hex dump.

Privacy first

Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.

Using the Hex Inspector for Malware File Triage

How to using the hex inspector for malware file triage

Step 1

Drop the suspicious file — Drag the quarantined file into the inspector. No execution occurs — bytes are read into memory only.

Step 2

Check offset 0 and 0x3C — MZ at offset 0 confirms a Windows PE. Read the DWORD at offset 0x3C — that value is the PE header offset. Navigate there to verify the PE signature (50 45 00 00).

Step 3

Assess entropy visually — If the bytes between the PE header and the section table look random (no readable strings, no null padding), the file is packed. Combine with the Entropy Analyzer for quantitative confirmation.

Frequently asked questions

Can I inspect a file larger than 8KB?+

The inspector reads the first 8KB (Developer tier). PE headers are complete within the first 4KB in virtually all cases. For full-file analysis, use a local tool like CFF Explorer or radare2.

Does this replace a disassembler?+

No. Hex inspection gives you raw bytes and ASCII. Disassembly (IDA Pro, Ghidra) decodes machine instructions. Use hex inspection for triage; use a disassembler for deep analysis.

Can I identify the compiler from the hex header?+

Sometimes. MSVC PE binaries often show Rich Header signatures between offset 0x80 and the PE header. GCC/MinGW binaries lack the Rich Header. These patterns are visible in the hex dump.

Privacy first

Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.

Using the Hex Inspector for Malware File Triage

How to using the hex inspector for malware file triage

Frequently asked questions

Privacy first

Related guides

Using the Hex Inspector for Malware File Triage

How to using the hex inspector for malware file triage

Frequently asked questions

Privacy first

Related guides