Malware analysis: Static analysis (examining code without running) — strings, imports, disassembly. Dynamic analysis (running in a sandbox) — behaviors, network calls, file changes.
Tools: Cuckoo sandbox (dynamic), IDA Pro/Ghidra (static/reverse engineering), VirusTotal (reputation). Obfuscated malware resists static analysis — dynamic analysis reveals actual behavior. Sandboxes may be VM-aware.