Encoding & Decoding · 1 min read

Hex Encoding in Malware and Obfuscated Code

Hexadecimal represents each byte as two characters (0-9, a-f). Malware authors use hex encoding to hide strings like URLs, commands, and file paths from static analysis. In JavaScript, hex appears as \x41\x42\x43 (which decodes to ABC). In binary analysis, hex viewers reveal file structure, embedded strings, and magic bytes that identify file types.

Try it now

Hex Viewer

Runs in your browser, nothing leaves your device.

Obfuscated JS often replaces readable strings with hex escapes: `\x64\x6f\x63\x75\x6d\x65\x6e\x74` is just `document`. Some obfuscators convert entire function names and property lookups to hex. This defeats simple grep searches but decodes trivially. More advanced obfuscators combine hex with array lookups and string rotation.

Every file format starts with specific bytes called magic numbers. A PDF starts with `25 50 44 46` (%PDF), a PNG with `89 50 4E 47`, a ZIP with `50 4B 03 04`. When analyzing suspicious files, checking the first few hex bytes tells you the real file type, regardless of the extension. An exe disguised as .jpg will still start with `4D 5A` (MZ).

Hex-encoded JavaScript string

Input
\x65\x76\x61\x6c
Result
eval

Common file signatures

Input
50 4B 03 04
Result
ZIP archive (also .docx, .xlsx, .apk)

Security context

Hex encoding is one of the simplest obfuscation layers. If you see long sequences of \x escapes in JavaScript or hex-encoded strings in malware configs, decode them first. The real analysis starts after you can read what the code actually does.

Open the file in a hex viewer and check the first 4-8 bytes against known magic number signatures. For example, ELF binaries start with 7F 45 4C 46, Java class files with CA FE BA BE, and JPEG images with FF D8 FF.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description