Malware written in dynamic languages such as PHP routinely employ anti-analysis techniques such as obfuscation schemes and evasive tricks to avoid detection. This paper presents a system called Cubismo to solve this pressing problem. It processes potentially malicious files and decloaks their obfuscations, exposing the hidden malicious code into multiple files. Cubismo achieves improved detection by exploring all executable statements of a suspect program counterfactually to see through complicated polymorphism, metamorphism and, obfuscation techniques and expose any malware. Cubismo is highly effective in dissecting sophisticated metamorphic malware with multiple layers of obfuscation. Cubismo enables VirusTotal to detect 53 out of 56 zero-day malware samples in the wild, which were previously undetectable.
