Some malware samples are big in size because they have been bloated artifically. This happens usually by appending zero bytes to the file. The most common Windows malware executable format, the Portable Executable Format, does not care about appended data. It will not be mapped to memory and is called overlay in this context. Malware may also bloat the last section or other areas of the file but overlay seems to be the most common. The bloat is well visible in file visualizations. The sample [1] below has been bloated with space characters in overlay.

This approach has some advantages for threat actors. Systems that allow file uploads, usually have file size limits. That means Virustotal or other automatic scanning or analysis systems may not be available for anyone who wants to check a file's maliciousness. The threat actors may hope that those files aren't distributed that fast to AV vendors, thus hoping to increase the time frame that their malware stays under the radar.

Threat actors use so called file pumpers to increase the size of their files and reduce the overall entropy which may indicate a packed file for some scanners. Some malware arrives in a non-bloated form and modifies its own copy on the system by adding appended data before deleting its original file.

The solution may be to create a compressed archive. This will reduce the size tremendously because the bloat usually consists of uniform data, making the compression very effective. But this does not allow any analysis systems to execute the malware. Removing the bloated portion from the file by deleting its overlay is probably the best way to deal with it.