A Decompilation-Driven Framework for Malware Detection with Large Language Models
Aniesh Chawla, Udbhav Prasad
TL;DR
This work investigates decompilation-driven malware detection by converting Windows binaries to C via Ghidra and applying large language models to classify software as benign or malicious. It systematically compares vanilla LLMs with a fine-tuned model, using a 2017 baseline dataset and a 2025 contemporary dataset to assess generalization. results show vanilla LLMs underperform traditional static methods, while fine-tuning substantially improves accuracy but remains sensitive to emerging threats, underscoring the need for ongoing domain-specific updates. The discussion outlines strategies to address context-window constraints, incorporate multi-modal signals, and enhance explainability for practical security deployments.
Abstract
The parallel evolution of Large Language Models (LLMs) with advanced code-understanding capabilities and the increasing sophistication of malware presents a new frontier for cybersecurity research. This paper evaluates the efficacy of state-of-the-art LLMs in classifying executable code as either benign or malicious. We introduce an automated pipeline that first decompiles Windows executable into a C code using Ghidra disassembler and then leverages LLMs to perform the classification. Our evaluation reveals that while standard LLMs show promise, they are not yet robust enough to replace traditional anti-virus software. We demonstrate that a fine-tuned model, trained on curated malware and benign datasets, significantly outperforms its vanilla counterpart. However, the performance of even this specialized model degrades notably when encountering newer malware. This finding demonstrates the critical need for continuous fine-tuning with emerging threats to maintain model effectiveness against the changing coding patterns and behaviors of malicious software.
