International Journal of Computer Theory and Engineering

Editor-In-Chief: Prof. Mehmet Sahinoglu
Frequency: Quarterly
ISSN: 1793-8201 (Print), 2972-4511 (Online)
E-mail:editor@ijcte.org
Publisher:IACSIT Press

OPEN ACCESS
4.1
CiteScore
⚠️ Important Security Notice: Beware of Fraudulent Emails Impersonating IJCTE Officials
Home > Articles > Archive > 2026 > Volume 18 Number 1 (2026) >
IJCTE 2026 Vol.18(1): 11-26
DOI: 10.7763/IJCTE.2026.V18.1385

A Compact Multi-Step Framework for Packing Identification in Portable Executable Files for Malware Static Analysis

Jong-Wouk Kim1, Yang-Sae Moon2,3, and Mi-Jung Choi2,3,4,*
1. Department of Computer Science, Kangwon National University, Gangwon 24341, Republic of Korea
2. Department of Computer Science and Engineering, Kangwon National University, Gangwon 24341, Republic of Korea
3. Department of Data Science, Kangwon National University, Gangwon 24341, Republic of Korea
4. IGP. In Bigdata Convergence, Kangwon National University, Gangwon 24341, Republic of Korea
Email: jw.kim@kangwon.ac.kr (J.W.K); ysmoon@kangwon.ac.kr (Y.S.M); mjchoi@kangwon.ac.kr (M.J.C)
*Corresponding author

Manuscript received May 7, 2025; revised June 11, 2025; accepted October 18, 2025; published January 9, 2026

Abstract—Packing presents a major challenge in cybersecurity, as it complicates malware analysis and extends the operational lifespan of malicious software. This study addresses the issue by developing a robust framework designed to detect packed executable files and identify the specific packers used. The proposed framework leverages 20 optimally selected features extracted from Portable Executable (PE) files to detect packing and recognize packer signatures. A series of extensive experiments was conducted to determine the most effective combination of classification model and feature set. The extreme gradient boost algorithm was selected based on its superior performance. The proposed model achieved a high detection accuracy of 99.27% and an F1-score of 98.84%, outperforming recent methods in the field. In addition, the study introduces a publicly accessible dataset containing 213,784 PE samples and 125 features to facilitate future research. The framework provides a practical tool for security analysts, improving their ability to identify and respond to PE file-based malware in real-world environments. This study focuses exclusively on a static analysis pipeline; no dynamic execution is performed. We also describe how the framework could interface with sandbox-derived dynamic behavioral signals in future work without extending the current study’s scope. Overall, this research contributes a static feature-based approach for packer detection and signature identification, together with a large-scale open dataset that supports ongoing advances in malware classification and analysis.

Keywords—packed malware, packing, feature engineering, machine learning

[PDF]

Cite: Jong-Wouk Kim, Yang-Sae Moon, and Mi-Jung Choi," A Compact Multi-Step Framework for Packing Identification in Portable Executable Files for Malware Static Analysis," International Journal of Computer Theory and Engineering, vol. 18, no. 1, pp. 11-26, 2026.

Copyright © 2026 by the authors. This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).

Article Metrics in Dimensions

Previous Paper
An Efficient Convolutional Neural Network Architecture Search Using Multi-Layered Population Structure
Next Paper
Last page
Menu