That’s a pretty good analogy the signature isn’t often not a simple hash of the malware but rather a more fuzzy signature based on core functions that are harder to alter without loss of function.