Through the static: Demystifying malware visualization via explainability

Security researchers face growing challenges in rapidly identifying and classifying malware strains for effective protection. While Convolutional Neural Networks (CNNs) have emerged as powerful visual classifiers for this task, critical issues of robustness and explainability, well-studied in domains like medicine, remain underaddressed in malware analysis. Although these models achieve strong performance without manual feature engineering, their replicability and decision-making processes remain poorly understood. Two technical barriers have limited progress: first, the lack of obvious methods for selecting and evaluating explainability techniques due to their inherent complexity, and second the substantial computational resources required for replicating and tuning these models across diverse environments, which requires extensive computational power and time investments often beyond typical research constraints. Our study addresses these gaps through comprehensive replication of six CNN architectures, evaluating both performance and explainability using Class Activation Maps (CAMs) including GradCAM and HiResCAM. We conduct experiments across standard datasets (MalImg, Big2015) and our new VX-Zoo collection, systematically comparing how different models interpret inputs. Our analysis reveals distinct patterns in malware family identification while providing concrete explanations for CNN decisions. Furthermore, we demonstrate how these interpretability insights can enhance Visual Transformers, achieving F1-score yielding substantial improvements in F1 score, ranging from 2% to 8%, across the datasets compared to benchmark values.