diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7e277d12195..1ebc851e123 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -8160,6 +8160,44 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) {
 
 /* ********************************************************************************* */
 
+/* PE32/PE32+ format specs: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format */
+static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct,
+                                            struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+  static const uint16_t dos_signature = 0x4d5a; /* MZ */
+  static const uint32_t pe_signature = 0x50450000; /* PE */
+
+  NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n");
+
+  if (flow->packet_counter > 5)
+  {
+    return;
+  }
+
+  if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4)
+  {
+    return;
+  }
+
+  if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature)
+  {
+    return;
+  }
+
+  uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C));
+  if (packet->payload_packet_len <= pe_offset + 4 ||
+      be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature)
+  {
+    return;
+  }
+
+  NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n");
+  ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found");
+}
+
+/* ********************************************************************************* */
+
 static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_t *expected_proto,
 							ndpi_protocol *returned_proto) {
   /*
@@ -8553,6 +8591,10 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio
    flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow);
   }
 
+  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
+    ndpi_search_portable_executable(ndpi_str, flow);
+  }
+
   return(ret);
 }
 
diff --git a/tests/cfgs/default/pcap/portable_executable.pcap b/tests/cfgs/default/pcap/portable_executable.pcap
new file mode 100644
index 00000000000..5f13f87fb6a
Binary files /dev/null and b/tests/cfgs/default/pcap/portable_executable.pcap differ
diff --git a/tests/cfgs/default/result/portable_executable.pcap.out b/tests/cfgs/default/result/portable_executable.pcap.out
new file mode 100644
index 00000000000..223f463099a
--- /dev/null
+++ b/tests/cfgs/default/result/portable_executable.pcap.out
@@ -0,0 +1,37 @@
+Guessed flow protos:	1
+
+DPI Packets (TCP):	30	(15.00 pkts/flow)
+Confidence Unknown          : 1 (flows)
+Confidence Match by port    : 1 (flows)
+Num dissector calls: 504 (252.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/6/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/2/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Unknown	15	12160	1
+DNS	15	12154	1
+
+Acceptable                      15 12154         1            
+Unrated                         15 12160         1            
+
+	1	TCP 64.227.107.71:53 <-> 172.16.99.10:49652 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][DPI packets: 15][cat: Network/14][11 pkts/11914 bytes <-> 4 pkts/240 bytes][Goodput ratio: 95/0][0.37 sec][::][bytes ratio: 0.961 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/182 362/364 114/182][Pkt Len c2s/s2c min/avg/max/stddev: 58/60 1083/60 1310/60 481/0][Risk: ** Binary App Transfer **** Malformed Packet **][Risk Score: 160][Risk Info: Invalid DNS Header / Portable Executable (PE32/PE32+) found][PLAIN TEXT (This program cannot be run in D)][Plen Bins: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	TCP 172.16.99.201:1732 <-> 64.227.107.71:4444 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 15][4 pkts/246 bytes <-> 11 pkts/11914 bytes][Goodput ratio: 0/95][0.73 sec][bytes ratio: -0.960 (Download)][IAT c2s/s2c min/avg/max/stddev: 329/0 364/45 398/398 34/125][Pkt Len c2s/s2c min/avg/max/stddev: 60/58 62/1083 66/1310 3/481][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Portable Executable (PE32/PE32+) found][PLAIN TEXT (This program cannot be run in D)][Plen Bins: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,90,0,0,0,0,0,0,0,0]