Entropy Analysis
Shannon entropy as a packing and encryption detector — how to read per-section entropy values, what each range means, and why high entropy in the code section almost always means packed malware.
⚡ Quick Bite · 40s
Entropy Analysis: Spotting Packed Malware
Shannon entropy and header discrepancies to identify obfuscated threats — the 0-8 scale, sectional context (.text vs .rsrc), and the packing trick of VirtualSize vs SizeOfRawData.
Watch this 40-second summary before diving into the full article. Sign in to earn 5 leaderboard points.
What is Shannon Entropy?
Shannon entropy measures the randomness of data on a scale from 0 to 8:
- 0 — perfectly uniform data (a file full of identical bytes)
- 8 — perfectly random data (encrypted or compressed content)
The formula measures how unpredictable each byte is given the distribution of all bytes in the region. Structured data like English text or compiled code has patterns — repeated byte values, common sequences — giving lower entropy. Encrypted or compressed data has no patterns, approaching maximum entropy.
Entropy Ranges and Their Meaning
| Entropy Range | Content Type | Verdict |
|---|---|---|
| 0.0 – 1.0 | Null bytes, repeated patterns | Padding or sparse data |
| 1.0 – 5.0 | Text, configuration data | Normal uncompressed content |
| 5.0 – 6.5 | Compiled native code, data sections | Normal for most PE sections |
| 6.5 – 7.0 | Borderline — investigate further | May indicate light compression |
| 7.0 – 8.0 | Encrypted or compressed content | Almost certainly packed |
Rule of thumb: entropy above 7.0 in the
.textsection means the code is packed. Stop static analysis and unpack first.
Where to Check Entropy
PEStudio — displays per-section entropy in the Sections tab. High entropy sections are highlighted automatically.
Detect It Easy (DIE) — shows per-section entropy as a bar graph alongside packer detection. The visual makes it immediately obvious which sections are suspicious.
CFF Explorer — shows raw entropy values for each section in the Section Headers view.
Reading Per-Section Entropy
Not all high-entropy sections are equally suspicious. Context matters:
| Section | High Entropy Meaning |
|---|---|
.text | Almost certainly packed or encrypted. Code should not be random. |
.data | Suspicious — may contain encrypted configuration or embedded payload. |
.rsrc | Less alarming — legitimate applications store compressed images in resources. |
.rdata | Suspicious — read-only data should not be encrypted in a normal binary. |
Custom name (.UPX1, .packed) | Confirmed packer section — proceed to unpacking. |
The VirtualSize vs SizeOfRawData Trick
Packers reserve empty memory that the unpacking stub fills at runtime:
Section header shows:
VirtualSize = 0x00050000 (320 KB reserved in memory)
SizeOfRawData = 0x00000200 (512 bytes on disk)
The section is almost empty on disk but large in memory. The stub decompresses the packed code into this reserved space during execution. This is a reliable packer indicator even when entropy alone is ambiguous.
Entropy in Practice: Two Examples
Example 1 — Normal executable
Section Entropy
.text 5.82 ← Compiled code, normal
.rdata 4.21 ← Read-only data, normal
.data 3.15 ← Variables, normal
.rsrc 5.44 ← Resources, normal
No action needed — entropy is consistent with a clean, uncompressed binary.
Example 2 — UPX-packed malware
Section Entropy
UPX0 0.00 ← Empty on disk (VirtualSize >> SizeOfRawData)
UPX1 7.84 ← Packed payload, near-maximum entropy
UPX2 5.21 ← Unpacking stub
Immediate action: detect packer with DIE, unpack with upx -d or manually via ESP breakpoint technique (covered in Unit 5).
Entropy Is Not Proof
High entropy in .text is strong evidence of packing — but not proof of malice. Legitimate software uses packers for license protection (Themida, VMProtect on commercial applications) and compression (Installer packages). Always combine entropy analysis with other indicators: import table size, section names, string content, and behavioural analysis.
Refer to REMA eBook 2026, Figure 2.11 for the entropy comparison visualisation showing structured code vs packed data side by side.
Sign in to mark this article as read and track your progress.