How to Analyze Malicious MSI Installer Files

This report explains how MSI installers are leveraged by attackers to embed and execute malicious binaries via custom actions and embedded binaries, illustrates manual analysis steps (using msitools, msiextract, msidiff) with a worked example of an SSLoad-delivering MSI (including file metadata and a DLL extracted and detected as PhantomLoader), and cites real-world campaigns (DarkGate, IcedID, Maze, MuddyWater/AteraAgent) with example hashes and differences observed between MSI versions.