🤖 AI Summary
This work proposes a novel multi-decompiler view fusion strategy to address the limitations of existing large language model (LLM)-based malware classification approaches that rely on a single decompiler view and are thus prone to information loss and fragility. By leveraging complementary pseudo-C code generated by Ghidra and RetDec, the method employs prompt engineering to guide multiple mainstream LLMs in performing classification without requiring additional training, thereby enhancing their ability to recognize malicious samples. Experimental evaluation on a custom benchmark dataset demonstrates that the proposed approach significantly improves F1 scores and recall across malicious classes, effectively validating the efficacy and complementarity of integrating multiple decompiler views for robust malware analysis.
📝 Abstract
Malware analysts often inspect compiled binaries through decompiled pseudo-C, when source code is unavailable. Recent work suggests that large language models (LLMs) can assist this process by classifying decompiled code as benign or malicious, but existing pipelines typically rely on a single decompiler view. We argue that this assumption is fragile: decompilers are lossy heuristic tools, and different decompilers can expose different artefacts of the same binary. We curate a benchmark of benign utilities and malicious programs spanning a range of threat behaviors. Each sample is compiled and decompiled with both Ghidra and RetDec, yielding matched pseudo-C views. Across a range of LLMs from major model families, we find that providing both decompiler views improves malicious-class F1, mainly by increasing recall on malicious samples. Agreement analyses further show that Ghidra and RetDec make partially different errors, supporting the view that decompiler outputs provide complementary evidence. Our results suggest that multi-decompiler prompting is a simple, training-free way to improve LLM-based malware triage in practical settings.