Extending dynamic detection of malware using static and dynamic malware analyses

What is claimed is: 1. A method, comprising: receiving, by a device, a software program from a client device, wherein the software program utilizes armoring techniques; providing, by the device, the software program to a sandbox; performing, by the device and via the sandbox, a dynamic malware analysis of the software program to generate dynamic malware analysis results; generating, by the device, a call graph based on the dynamic malware analysis of the software program; utilizing, by the device and during the dynamic malware analysis of the software program, the call graph to identify at least one of: an exit of the software program, or a forced kill of the software program; performing, by the device and via the sandbox, a static malware analysis of the software program based on identifying the at least one of the exit of the software program or the forced kill of the software program; generating, by the device, static malware analysis results based on performing the static malware analysis of the software program; analyzing, by the device, the dynamic malware analysis results to determine whether the dynamic malware analysis results are sufficient to identify malicious code in the software program; analyzing, by the device, the static malware analysis results to identify the malicious code in the software program when the dynamic malware analysis results are insufficient to identify the malicious code in the software program; combining, by the device, the dynamic malware analysis results and the static malware analysis results to generate combined malware analysis results; detecting, by the device, one or more application programming interface (API) traces for the software program based on the combined malware analysis results; determining, by the device and based on detecting the one or more API traces, one or more APIs that would have been called and logged had the software program not utilized armoring techniques; and performing, by the device, one or more actions based on determining the one or more APIs that would have been called and logged had the software program not utilized armoring techniques. 2. The method of claim 1 , further comprising: removing one or more particular API traces, provided in the combined malware analysis results, that are subsets of the one or more API traces provided in the combined malware analysis results. 3. The method of claim 1 , wherein performing the one or more actions comprises one or more of: modifying the software program to remove the malicious code and to generate a modified software program; providing the modified software program to the client device for execution; reanalyzing the software program to verify that the malicious code has been removed from the software program; or remodifying the software program to remove any remaining malicious code based on reanalyzing the software program. 4. The method of claim 1 , wherein performing the one or more actions comprises one or more of: providing, to the client device, instructions that cause the client device to modify the software program to remove the malicious code; providing, to the client device, instructions that cause the client device to report the software program and the malicious code to particular devices; reporting the software program and the malicious code to the particular devices; preventing the software program and the malicious code from being executed on the particular devices that include the software program and the malicious code; or removing the software program and the malicious code from the particular devices that include the software program and the malicious code. 5. The method of claim 1 , wherein performing the dynamic malware analysis of the software program comprises one of: performing an application programming interface (API) tracing of the software program via an API hooking mechanism; or performing the API tracing of the software program via one or more dynamic instrumentation mechanisms. 6. The method of claim 1 , wherein performing the static malware analysis of the software program comprises: utilizing the call graph to perform the static malware analysis of the software program. 7. The method of claim 1 , further comprising: identifying one or more malicious API traces in the combined malware analysis results based on at least one of: a list of known malicious API traces, or a machine learning model; and wherein performing the one or more actions comprises: performing the one or more actions based on identifying the one or more malicious API traces in the combined malware analysis results. 8. A device, comprising: one or more memories; and one or more processors to: receive a software program from a client device, wherein the software program utilizes armoring techniques; perform a dynamic malware analysis of the software program to generate dynamic malware analysis results; generate a call graph based on the dynamic malware analysis of the software program; utilize, during the dynamic malware analysis of the software program, the call graph to identify at least one of: an exit of the software program, or a forced kill of the software program; perform a static malware analysis of the software program based on identifying the at least one of the exit of the software program or the forced kill of the software program; generate static malware analysis results based on performing the static malware analysis of the software program; analyze the dynamic malware analysis results to determine whether the dynamic malware analysis results are sufficient to identify malicious code in the software program; analyze the static malware analysis results to identify the malicious code in the software program when the dynamic malware analysis results are insufficient to identify the malicious code in the software program; combine the dynamic malware analysis results and the static malware analysis results to generate combined malware analysis results; detect one or more application programming interface (API) traces for the software program based on the combined malware analysis results; determine, based on detecting the one or more API traces, one or more APIs that would have been called and logged had the software program not utilized armoring techniques; remove, based on determining the one or more APIs that would have been called and logged had the software program not utilized armoring techniques, one or more particular API traces, provided in the combined malware analysis results, that are subsets of the one or more API traces provided in the combined malware analysis results, wherein modified malware analysis results are generated based on removing the one or more particular API traces that are subsets of one or more API traces from the combined malware analysis results; and perform one or more actions based on the modified malware analysis results. 9. The device of claim 8 , wherein the call graph includes: the one or more API traces, and one or more function calls. 10. The device of claim 8 , wherein, when performing the one or more actions, the one or more processors are to one or more of: modify the software program to remove the malicious code and to generate a modified software program; provide the modified software program to the client device for execution; reanalyze the software program to verify that the malicious code has been removed from the software program; or remodify the software program to remove any remaining malicious code based on reanalyzing the software program. 11. The device of claim 8 , wherein, when performing the one or more actions, the one