Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and packing of samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32) contains hidden information that can provide a security analysts with an upper hand.
In this presentation, we present a technical description of the Rich Header and show how to extract the data that it clandestinely contains. We will then show how this information can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. Additionally, we will demonstrate how to perform similarity matching, in near real-time, based solely on the contents of the Rich Header. Our similarity matching algorithm successfully identifies similar malware samples in addition to identifying when malware has been built under different build environment; revealing potentially distinct actors.