I have a doubt, as to how does one come to the conclusion that an exe/dll is from a specific country? Is there a field in the PE structure that saves this information?
I know that such information(timestamp etc.) can be overwritten and there is no way that one can be 100% sure but still... There is always a statement in most analysis reports of malicious samples saying something like "This sample seems to have originated from xyz country".
I would love an answer which doesn't have a tool as a solution.
There are no fields or metadata within the PE/COFF format which gives away any indication of a program's country of origin. The PE specification is available here: http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx - it does contain a timestamp field which should be set by the compiler, but this is easily forged.
I understand (though am uncertain) that the country-of-origin of malware is determined via the same means that biological epidemiology works: by tracing the infections back to the source, and given how the Internet works, it's very hard. Often infections spread via HTTP (for example) can be examined via the webserver logfiles which would have the source IP address, which can then be geolocated.
Other times malware contains direct clues as to its origin - with the old-school malware (think: ILOVEYOU) the hubris of the author is their downfall, in the ILOVEYOU case, the author actually put "by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines" directly in the VBScript source code that the virus was written in.
For viruses ostensibly written in China or North Korea (which you're probably aluding to - considering the recent news of the Sony Pictures attack), it's possible they're making an educated guess based on strings contained within the program that are in Chinese or Korean script/characters.
...the problem with relying on these kinds of heuristics is that it's easy to "frame" a country and throw someone off your trail. If I were lacking in the moral department I could conceivably commit a false-flag operation by composing a virus such that it contained foreign language strings and used Tor or some other network to launch the attack from within another country, leaving no hint as to its true origins.
In short, I don't believe anyone can really know for certain - most times it's guesses based on the target and who hates the target the most - or cases where entities inadvertently reveal that they wrote it (e.g. Israel and Stuxnet).