Malware Report Writer

Create professional, comprehensive malware analysis reports for enterprise security teams, incident response, and threat intelligence.

When to Use This Skill

Use this skill when the user needs to:

• Create a complete malware analysis report from analysis findings
• Structure analysis results into professional documentation
• Write executive summaries for malware samples
• Format IOCs and detection rules for delivery
• Review or improve existing malware reports
• Prepare report documentation for stakeholders

Quick Start

Creating a New Report

1. Use the report template from assets/report_template.md as the base structure
2. Gather all analysis artifacts:
   • Sample hashes and file information
   • Static analysis findings (strings, imports, PE structure)
   • Dynamic analysis observations (processes, registry, network, files)
   • IOCs identified
   • Detection rules created
3. Populate each section systematically
4. Review against best practices in references/best_practices.md

Report Structure

The standard report includes these sections in order:

1. Executive Summary - High-level overview for non-technical stakeholders
2. Sample Information - Basic file metadata and hashes
3. Static Analysis - File structure, strings, imports/exports, resources
4. Dynamic Analysis - Runtime behavior, system changes, network activity
5. IOCs - Organized by type (file, network, host indicators)
6. Detection Rules - YARA rules and optionally Sigma rules
7. Malware Classification - Family, type, capabilities
8. Remediation and Mitigation - Actionable response steps
9. Technical Details - Additional deep-dive analysis
10. Conclusion - Final summary and assessment
11. References - External resources and links
12. Appendix - Timeline, tools used, screenshots

Key Principles

Professional Quality

• Use precise technical language with clear explanations
• Include all three hash types (MD5, SHA1, SHA256)
• Provide full context for every finding
• Document methodology and tools used
• Include timestamps and version information

Professional Report Requirements

Industry-standard reports require:

• Complete technical documentation of malware samples
• Professional format suitable for enterprise delivery
• Working detection rules based on malware characteristics
• Clear IOCs that can be operationalized

Critical: The quality of your report reflects your professionalism. Allocate sufficient time for writing and review.

Audience Awareness

Structure content for multiple audiences:

• Executive Summary: Non-technical decision makers
• Technical Sections: Security analysts and researchers
• IOCs/Detection: SOC teams and detection engineers
• Remediation: Incident responders

Writing Guidelines

Executive Summary

• 2-4 paragraphs maximum
• Plain language, minimal jargon
• Answer: What? How critical? What actions?
• Include key findings in bullet points

Technical Analysis

• Document both positive and negative findings
• Provide evidence for every claim
• Use code blocks for technical artifacts
• Include screenshots when they add value
• Connect behaviors to specific evidence

IOCs Section

Format:

• Group by type (file, network, host)
• Include context for each indicator
• Provide confidence levels if uncertain
• Test IOCs for accuracy before including

Defanging (required): All IOCs in reports MUST be defanged to prevent accidental activation:

• URLs: http → hxxp, https → hxxps (e.g., hxxps://malicious[.]example[.]com/payload)
• Domains: bracket the dot before the TLD (e.g., evil[.]com, sub.domain[.]net)
• Email addresses: @ → [@] (e.g., attacker[@]evil[.]com)
• IP addresses: bracket each dot separator (e.g., 192[.]168[.]1[.]1)

Avoid:

• Environment-specific artifacts
• Personal/analyst system information
• Common legitimate values
• Untested indicators

Detection Rules

YARA Rules:

• Test against sample (must detect)
• Test against clean files (must not false positive)
• Include metadata: author, date, description, hash
• Use meaningful string and variable names
• Add comments explaining detection logic
• Set appropriate conditions to balance detection and false positives

Best practices:

rule Malware_Family_Variant {
    meta:
        description = "Detects Malware_Family based on C2 configuration"
        author = "Analyst Name"
        date = "2025-10-25"
        hash = "abc123..."
        reference = "Internal analysis"
        
    strings:
        $c2_config = { 48 8B ?? ?? ?? ?? ?? 48 8D ?? ?? }  // Config access pattern
        $ua_string = "Mozilla/4.0 (Suspicious UA)" ascii
        $mutex = "Global\\UniqueMalwareMutex" wide
        
    condition:
        uint16(0) == 0x5A4D and  // MZ header
        filesize < 2MB and
        2 of them
}

Common Mistakes to Avoid

• Over-relying on automated tool output without interpretation
• Listing findings without explaining significance
• Missing critical hashes or file metadata
• Weak or untested detection rules
• Vague remediation recommendations
• Poor grammar/spelling
• Inconsistent formatting
• Environment-specific artifacts in IOCs

Best Practices Reference

For detailed guidance on report quality, writing style, and common pitfalls, see references/best_practices.md.

Key topics covered:

• Report writing principles (clarity, completeness, objectivity)
• Structure guidelines for each section
• IOC quality standards
• Detection rule best practices
• Audience considerations
• Quality checklist
• Efficient workflow strategies

Time Management Strategies

For efficient malware report creation:

Recommended workflow:

• Phase 1-2: Analysis

  • Document findings continuously (don't wait)
  • Take screenshots and capture evidence
  • Create detection rules during analysis
  • Organize notes by report section

• Phase 3-4: Report writing

  • Draft all technical sections first
  • Write IOCs, detection rules, remediation
  • Create executive summary and conclusion
  • Final quality check and formatting

Pro tip: Start documenting in report format during analysis to save time.

Quality Checklist

Before submitting any report, verify:

Technical Accuracy:

• All three hash types included and verified
• File paths are complete and accurate
• Timestamps include timezone
• Process IDs included for process activity
• Tool versions documented

Detection Rules:

• YARA rules tested against sample (detects correctly)
• YARA rules tested against clean files (no false positives)
• Rules include complete metadata
• Conditions are appropriate and not over-matching

IOCs:

• Grouped by type (file, network, host)
• Context provided for each IOC
• All IOCs defanged (hxxp/hxxps, [.] for domains and IPs, [@] for email)
• No environment-specific artifacts
• All IOCs validated

Report Quality:

• Executive summary is non-technical and actionable
• All sections completed
• Grammar and spelling checked
• Consistent formatting throughout
• Evidence supports all claims
• Remediation steps are specific and prioritized

Professional Standards:

• Report is professional and enterprise-ready
• Detection rules work and are well-documented
• Technical details demonstrate thorough analysis
• Report answers: What is it? What does it do? How to detect? How to remove?

Output Format

Create reports in Markdown format using the template structure. For professional delivery:

1. Create report in Markdown using the template
2. Convert to PDF for professional appearance (if required)
3. Ensure all sections are complete
4. Include any screenshots as appendix items
5. Verify detection rules are included and tested

Example Usage

User request: "Help me write a report for this ransomware sample I analyzed"

Workflow:

1. Load the report template
2. Ask user for key findings from their analysis
3. Structure findings into appropriate sections
4. Help craft executive summary
5. Format IOCs properly
6. Review and validate YARA rules
7. Provide remediation recommendations
8. Review final report against quality checklist