A Modern Solution for Windows Malware Detection with Static PE Header Features

Malware continues to pose a significant threat to individuals and businesses of all sizes. Malware analysts have been trying to create an automated solution for detecting malware and usually resort to Machine Learning. They use features extracted statically and dynamically from portable executable (PE) files to train the model, which they then use for malware detection. In this project we created a dataset comprising of 34,055 samples, using the low-level tool called "PExtract". This dataset is aimed for malware detection and contains DOS Header information, Optional Header information, Section Names, DLLs and API calls. Using the string features from the dataset, we trained and evaluated 15 models, including Transformers, Naive Bayes, and a Neural Network model proposed by the state-of-the-art. We reproduced API-MalDetect, as the representation of state-of-the-art, in order to compare it to our proposal. We found that using the ModernBERT model for static malware detection is the best option for string type features. During evaluation, we found that ModernBERT yields the best results, reaching 98.7% accuracy on our test set. API-MalDetect reached peak 91.55% accuracy when trained on Section Names. Conversely, Naive Bayes models consistently underperformed and are therefore not recommended when working with low-level static features. Our contributions include the development of the PExtract tool and dataset, as well as the fine-tuned Transformer model, ModernBERT, which outperforms current state-of-the-art methods.