| name | malware-report-writer |
| description | Professional malware analysis report creation for enterprise malware analysis and incident response. Use when the user needs to create, structure, or improve a malware analysis report, write technical documentation for malware samples, create executive summaries, or format IOCs and detection rules for professional delivery. |
Malware Report Writer
Create professional, comprehensive malware analysis reports for enterprise security teams, incident response, and threat intelligence.
When to Use This Skill
Use this skill when the user needs to:
- Create a complete malware analysis report from analysis findings
- Structure analysis results into professional documentation
- Write executive summaries for malware samples
- Format IOCs and detection rules for delivery
- Review or improve existing malware reports
- Prepare report documentation for stakeholders
Quick Start
Creating a New Report
- Use the report template from
assets/report_template.mdas the base structure - Gather all analysis artifacts:
- Sample hashes and file information
- Static analysis findings (strings, imports, PE structure)
- Dynamic analysis observations (processes, registry, network, files)
- IOCs identified
- Detection rules created
- Populate each section systematically
- Review against best practices in
references/best_practices.md
Report Structure
The standard report includes these sections in order:
- Executive Summary - High-level overview for non-technical stakeholders
- Sample Information - Basic file metadata and hashes
- Static Analysis - File structure, strings, imports/exports, resources
- Dynamic Analysis - Runtime behavior, system changes, network activity
- IOCs - Organized by type (file, network, host indicators)
- Detection Rules - YARA rules and optionally Sigma rules
- Malware Classification - Family, type, capabilities
- Remediation and Mitigation - Actionable response steps
- Technical Details - Additional deep-dive analysis
- Conclusion - Final summary and assessment
- References - External resources and links
- Appendix - Timeline, tools used, screenshots
Key Principles
Professional Quality
- Use precise technical language with clear explanations
- Include all three hash types (MD5, SHA1, SHA256)
- Provide full context for every finding
- Document methodology and tools used
- Include timestamps and version information
Professional Report Requirements
Industry-standard reports require:
- Complete technical documentation of malware samples
- Professional format suitable for enterprise delivery
- Working detection rules based on malware characteristics
- Clear IOCs that can be operationalized
Critical: The quality of your report reflects your professionalism. Allocate sufficient time for writing and review.
Audience Awareness
Structure content for multiple audiences:
- Executive Summary: Non-technical decision makers
- Technical Sections: Security analysts and researchers
- IOCs/Detection: SOC teams and detection engineers
- Remediation: Incident responders
Writing Guidelines
Executive Summary
- 2-4 paragraphs maximum
- Plain language, minimal jargon
- Answer: What? How critical? What actions?
- Include key findings in bullet points
Technical Analysis
- Document both positive and negative findings
- Provide evidence for every claim
- Use code blocks for technical artifacts
- Include screenshots when they add value
- Connect behaviors to specific evidence
IOCs Section
Format:
- Group by type (file, network, host)
- Include context for each indicator
- Provide confidence levels if uncertain
- Test IOCs for accuracy before including
Avoid:
- Environment-specific artifacts
- Personal/analyst system information
- Common legitimate values
- Untested indicators
Detection Rules
YARA Rules:
- Test against sample (must detect)
- Test against clean files (must not false positive)
- Include metadata: author, date, description, hash
- Use meaningful string and variable names
- Add comments explaining detection logic
- Set appropriate conditions to balance detection and false positives
Best practices:
rule Malware_Family_Variant {
meta:
description = "Detects Malware_Family based on C2 configuration"
author = "Analyst Name"
date = "2025-10-25"
hash = "abc123..."
reference = "Internal analysis"
strings:
$c2_config = { 48 8B ?? ?? ?? ?? ?? 48 8D ?? ?? } // Config access pattern
$ua_string = "Mozilla/4.0 (Suspicious UA)" ascii
$mutex = "Global\\UniqueMalwareMutex" wide
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 2MB and
2 of them
}
Common Mistakes to Avoid
- Over-relying on automated tool output without interpretation
- Listing findings without explaining significance
- Missing critical hashes or file metadata
- Weak or untested detection rules
- Vague remediation recommendations
- Poor grammar/spelling
- Inconsistent formatting
- Environment-specific artifacts in IOCs
Best Practices Reference
For detailed guidance on report quality, writing style, and common pitfalls, see references/best_practices.md.
Key topics covered:
- Report writing principles (clarity, completeness, objectivity)
- Structure guidelines for each section
- IOC quality standards
- Detection rule best practices
- Audience considerations
- Quality checklist
- Efficient workflow strategies
Time Management Strategies
For efficient malware report creation:
Recommended workflow:
Phase 1-2: Analysis
- Document findings continuously (don't wait)
- Take screenshots and capture evidence
- Create detection rules during analysis
- Organize notes by report section
Phase 3-4: Report writing
- Draft all technical sections first
- Write IOCs, detection rules, remediation
- Create executive summary and conclusion
- Final quality check and formatting
Pro tip: Start documenting in report format during analysis to save time.
Quality Checklist
Before submitting any report, verify:
Technical Accuracy:
- All three hash types included and verified
- File paths are complete and accurate
- Timestamps include timezone
- Process IDs included for process activity
- Tool versions documented
Detection Rules:
- YARA rules tested against sample (detects correctly)
- YARA rules tested against clean files (no false positives)
- Rules include complete metadata
- Conditions are appropriate and not over-matching
IOCs:
- Grouped by type (file, network, host)
- Context provided for each IOC
- No environment-specific artifacts
- All IOCs validated
Report Quality:
- Executive summary is non-technical and actionable
- All sections completed
- Grammar and spelling checked
- Consistent formatting throughout
- Evidence supports all claims
- Remediation steps are specific and prioritized
Professional Standards:
- Report is professional and enterprise-ready
- Detection rules work and are well-documented
- Technical details demonstrate thorough analysis
- Report answers: What is it? What does it do? How to detect? How to remove?
Output Format
Create reports in Markdown format using the template structure. For professional delivery:
- Create report in Markdown using the template
- Convert to PDF for professional appearance (if required)
- Ensure all sections are complete
- Include any screenshots as appendix items
- Verify detection rules are included and tested
Example Usage
User request: "Help me write a report for this ransomware sample I analyzed"
Workflow:
- Load the report template
- Ask user for key findings from their analysis
- Structure findings into appropriate sections
- Help craft executive summary
- Format IOCs properly
- Review and validate YARA rules
- Provide remediation recommendations
- Review final report against quality checklist