This work addresses the challenge of malware family classification in real-world scenarios, where obfuscation, packing, and rapid evolution hinder effective analysis. To tackle this problem without relying on labeled data, the authors propose a zero-shot classification framework that leverages static code analysis and introduces a novel decision-level, weighted hierarchical ensemble mechanism based on pre-trained large language models. The approach mimics human analysts’ reasoning by first identifying coarse-grained malicious behaviors and then refining predictions to specific families, dynamically weighting constituent models according to macro F1 scores to enhance both accuracy and stability. Notably, the method achieves strong generalization and robustness in open, dynamic threat environments without requiring handcrafted features or model retraining.

Malware family classification remains a challenging task in automated malware analysis, particularly in real-world settings characterized by obfuscation, packing, and rapidly evolving threats. Existing machine learning and deep learning approaches typically depend on labeled datasets, handcrafted features, supervised training, or dynamic analysis, which limits their scalability and effectiveness in open-world scenarios. This paper presents a zero-label malware family classification framework based on a weighted hierarchical ensemble of pretrained large language models (LLMs). Rather than relying on feature-level learning or model retraining, the proposed approach aggregates decision-level predictions from multiple LLMs with complementary reasoning strengths. Model outputs are weighted using empirically derived macro-F1 scores and organized hierarchically, first resolving coarse-grained malicious behavior before assigning fine-grained malware families. This structure enhances robustness, reduces individual model instability, and aligns with analyst-style reasoning.