Features

Supported files formats and architectures

CPU architectures

Malcat is not IDA: it does not try to handle all CPU architectures, but only to support the ones that are used by most malware. For performance reason, the disassemblers are currently written in CPP and users cannot add new architectures, but python-based dissasembler support may be added in the future. You can find below the current list of supported architectures:

CPU Disassembler Decompiler Strings identification Function discovery Notes
x86 Yes Yes scan (+heuristics for Golang) linear + recursive + pattern matching disssembler based on Zydis, decompiler on Sleigh
x64 Yes Yes scan (+heuristics for Golang) linear + recursive + pattern matching disssembler based on Zydis, decompiler on Sleigh
.NET Yes No Yes (metadata) Yes (metadata) custom disassembler
PY 2.7 Yes No Yes (metadata) Yes (metadata) custom disassembler
PY 3.6+ Yes No Yes (metadata) Yes (metadata) custom disassembler
NSIS Yes No Yes (metadata) linear + recursive
AutoIT 3.26+ No Yes No No simple detokenization of AutoIT scripts
VB Pcode Partial No Yes (reference scan) Yes
VBA (office) No Yes No No
Excel macros (office) No Yes Yes (metadata) - Biff8 and Biff12 support
Disassembler:
can machine code be analyzed
Decompiler:
can source code be recovered
Strings identification:
if and how does Malcat identify the strings of the program. scan means that a standard linear sweep string search algorithm is used, the one you can find in most tools.
Function discovery:
if program methods/fucntions are identified.

File formats

Malcat supports a large amount of file formats, using its python-based file parsers. Anyone can easily add support for a new file format by adding new scripts to Malcat's data directory.

Programs

Here you can find the current list of supported executable formats:

File Format Structures parsing Debug informations Resources Notes
AutoIt 3.26+ only - - Scripts can be decompiled (hit F4)
COFF Yes symbols and CV13 debug symbols - relocations, symbols, imports
ELF Yes symbols, no DWARF - relocations, symbols, imports, big and little endian
LNK Yes - - while not a program format per se, it can be used to run commands
MDMP Partial No - Windows minidumps, partial support
NSIS Yes Yes - setup script can be disassembled, most sections parsed
OLE Yes - - VBA macros can be displayed (hit F4)
PE/PE+ Yes Only debug directory, no PDB Yes exports, imports (+ bound/delay), relocations, tls, debug, load config, certificates, version informations
PE::DotNet Yes Types and methods Yes types, methods, resources, exceptions, strings
PE::Golang Yes pclntable and filetable -
PE::Visual Basic Yes types and events VB forms native and PCode support, project infos, objects array, forms and events
PYC Yes Yes - support for python 2.7+ and 3.6+
VBE Yes - - Malcat supports unpacking the original VBS script
XLS Yes - - The /Workbook stream inside OLE containers. Cell informations (including formulas) can be recovered (hit F4)
XLSB Yes - - The .bin files inside OpenXML .xlsb containers. Cell informations (including formulas) can be recovered (hit F4)
Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
Debug informations:
if debug informations are parsed
Resources:
if the program embbeds resource, can Malcat identfy and extract them?

Archives / File Systems

While Malcat has no pretention of beeing a full-fledged archive opener, it supports most archive types used by malware. Some file format parsers are more advanced than others and even allow the user to open archive member directly inside malcat. Here is a list of supported file formats:

File Format Structures parsing In-application unpacking Summary Notes
7Z EncodedHeader only No No
ACE Yes Yes Yes
AutoIt 3.26+ only 3.26+ only Yes Scripts can be decompiled (hit F4)
CAB Yes zlib encoding only Yes
CFB/OLE2 Yes Yes Yes VBA macros can be displayed (hit F4)
GZIP Yes Yes Yes
NSIS Yes zlib and lzma, no bz2 support Yes
PYINST Yes Yes Yes Extracted python scripts get their python header restored
PYZ Yes Yes Yes Extracted python scripts get their python header restored
RAR4 Yes No Yes Archives comments are shown for easy SFX analysis
RAR5 Yes No Yes Archives comments are shown for easy SFX analysis
SquashFS Partial Not yet No
ZIP Yes Yes Yes
ZLIB stream Yes Yes Yes
Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
In-application unpacking:
if the file format parser can directly extract and open archive members. Inside Malcat, one can then open a file by double-clicking them inside the Virtual File System tab.
Summary:
if Malcat displays a summary report in the Summary view

Multimedia / Documents

Document/pictures identification is very useful for malware analysis. A lot of obfuscators love to disguise their payloads as multimedia files. Or hide it inside a multimedia file, in some unused space.

File Format Structures parsing Metadata Notes
BMP Yes - Both BMP and DIB (i.e BMP without FileHeader) are supported
DOC Partial (FCB) Yes The /WordDocument stream inside OLE containers
ICO Yes -
JPG Yes Tiff
OOXML No No Well it's a ZIP, so you can browse it inside Malcat
PDF Minimal (PDF dictionnary) No Very minimal support since not really a binary format
PNG Yes Yes Pixel information can be extracted using scripts
WAV Basic No No
XLS Yes Yes
XLSB Yes Yes
Structures parsing:
if the file format parser identifies (most of) the binary structures of the file format
Metadata:
if most metadata (author, comments, time, etc.) are extracted