I put various PEs to a hex editor and search for strings (which mostly are Windows functions) that could be useful in understanding what does the PE do and any other details about it, without executing it.
After the DOS stub, most of the time, both with genuine and malicious executables, the bigger part of the hexdump (converted to text) is unreadable, for example:
L.µ¸°5Sÿ|.iÞôS..\C>Ó\—©>Ó.Òg.¼·+ß»–å~.2W·ÿ¸¨x:_/..²Üo(è.XX<.¯”ˆNYîk•…ùJ¹¬£oXR¾ëè.,X°`Á‚...,X(O.㣿¨P.ñ~p{澯ª°y”…Š}6…쥒{jæiö³ëêÃaûþ*ýþž.š¼AÇG(’ÅNÔ™¾=...øí>üÒGÂ.sŽÃyÈ9.ï×Ç.QgÄ™€·Sâð.Þ¾…=}.¾TQO:à}úÂ.L7.˜Sp>.(.Ó.d¥ñ—ñyøÜ¡;í¦ðìÐ9Dç.:‡é.¡s%.«è</Åï.O¯H.ÀÛìç ´$”yÊ©ƒ9§QøCü.<I8.N.ð².¨8.\$àù8ü!æ°³Îy.(J8õtÞ.ï§Æ‰÷!.£ÛPN7ð󸱜z86á.²p¬‡4k!Õ&J±.RD!M.èMЬÝzâ.ÓÄ)M.§Âo.$ –.¸:㣤.î%5m@ï8]#5qM-ÅȤ™Ï‚—b¤...¿5.…._ÁÂùŠ»xßçvÚá™-—æ.ŠM<gS.ã.íGZÏ.:WÓ¹†Î.鼈Î7Ñy1.—Ðùf¾Æœ
And then somewhere between many lines like this a block of Windows functions can be seen:
ime...SearchPathW.a.GetShortPathNameW.û.GetFullPathNameW..c.MoveFileW.M.SetCurrentDirectoryW..ê.GetFileAttributesW....GetLastError....CreateDirectoryW..a.SetFileAttributesW..².Sleep.“.GetTickCount..ð.GetFileSize...GetModuleFileNameW..À.GetCurrentProcess.u.
And this XML part:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
What decides which parts will be readable and which not? I assume that windows functions can be extracted because it is something that interacts with the OS, not something used locally and created by the developer.
Why is the unreadable part unreadable? When I saw it first I assumed it is encrypted/packed/obfuscated. Now I'm thinking, is it something not done intentionally by the developer? As said, I see the same pattern both in malicious and genuine PEs.
The readable part will be things like strings, imported function names, text resources (like the XML application manifest), etc. But the majority of an executable tends to be machine code. This is binary data, it is not text.
This is perfectly normal and to be expected. There is no evidence of encryption or obfuscation here.