All articles
Educationentropypackingstatic-analysis

Entropy Analysis

Shannon entropy as a packing and encryption detector — how to read per-section entropy values, what each range means, and why high entropy in the code section almost always means packed malware.

Ashish Revar12 May 202612 min read2 views
Quick Bite

⚡ Quick Bite · 40s

Entropy Analysis: Spotting Packed Malware

Shannon entropy and header discrepancies to identify obfuscated threats — the 0-8 scale, sectional context (.text vs .rsrc), and the packing trick of VirtualSize vs SizeOfRawData.

Watch this 40-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

What is Shannon Entropy?

Shannon entropy measures the randomness of data on a scale from 0 to 8:

  • 0 — perfectly uniform data (a file full of identical bytes)
  • 8 — perfectly random data (encrypted or compressed content)

The formula measures how unpredictable each byte is given the distribution of all bytes in the region. Structured data like English text or compiled code has patterns — repeated byte values, common sequences — giving lower entropy. Encrypted or compressed data has no patterns, approaching maximum entropy.

Entropy Ranges and Their Meaning

Entropy RangeContent TypeVerdict
0.0 – 1.0Null bytes, repeated patternsPadding or sparse data
1.0 – 5.0Text, configuration dataNormal uncompressed content
5.0 – 6.5Compiled native code, data sectionsNormal for most PE sections
6.5 – 7.0Borderline — investigate furtherMay indicate light compression
7.0 – 8.0Encrypted or compressed contentAlmost certainly packed

Rule of thumb: entropy above 7.0 in the .text section means the code is packed. Stop static analysis and unpack first.

Where to Check Entropy

PEStudio — displays per-section entropy in the Sections tab. High entropy sections are highlighted automatically.

Detect It Easy (DIE) — shows per-section entropy as a bar graph alongside packer detection. The visual makes it immediately obvious which sections are suspicious.

CFF Explorer — shows raw entropy values for each section in the Section Headers view.

Reading Per-Section Entropy

Not all high-entropy sections are equally suspicious. Context matters:

SectionHigh Entropy Meaning
.textAlmost certainly packed or encrypted. Code should not be random.
.dataSuspicious — may contain encrypted configuration or embedded payload.
.rsrcLess alarming — legitimate applications store compressed images in resources.
.rdataSuspicious — read-only data should not be encrypted in a normal binary.
Custom name (.UPX1, .packed)Confirmed packer section — proceed to unpacking.

The VirtualSize vs SizeOfRawData Trick

Packers reserve empty memory that the unpacking stub fills at runtime:

Section header shows:
  VirtualSize    = 0x00050000  (320 KB reserved in memory)
  SizeOfRawData  = 0x00000200  (512 bytes on disk)

The section is almost empty on disk but large in memory. The stub decompresses the packed code into this reserved space during execution. This is a reliable packer indicator even when entropy alone is ambiguous.

Entropy in Practice: Two Examples

Example 1 — Normal executable

Section   Entropy
.text     5.82     ← Compiled code, normal
.rdata    4.21     ← Read-only data, normal
.data     3.15     ← Variables, normal
.rsrc     5.44     ← Resources, normal

No action needed — entropy is consistent with a clean, uncompressed binary.

Example 2 — UPX-packed malware

Section   Entropy
UPX0      0.00     ← Empty on disk (VirtualSize >> SizeOfRawData)
UPX1      7.84     ← Packed payload, near-maximum entropy
UPX2      5.21     ← Unpacking stub

Immediate action: detect packer with DIE, unpack with upx -d or manually via ESP breakpoint technique (covered in Unit 5).

Entropy Is Not Proof

High entropy in .text is strong evidence of packing — but not proof of malice. Legitimate software uses packers for license protection (Themida, VMProtect on commercial applications) and compression (Installer packages). Always combine entropy analysis with other indicators: import table size, section names, string content, and behavioural analysis.

Refer to REMA eBook 2026, Figure 2.11 for the entropy comparison visualisation showing structured code vs packed data side by side.

Sign in to mark this article as read and track your progress.