I am sharing the bits of a good answer provided by my colleague on MSDN for a similar question. Please refer to this MSDN thread for the complete answer.
If you are looking to setup something for malware in Azure you will want to stick with IaaS solution. (Infrastructure as a service) this is because the environment is managed by you and we don't take care of any of the Guest OS level security. For SaaS and PaaS the platform handles the security so deploying anything with malware would be quickly removed or resolved.
So if you are looking to try this environment in Azure, the using VMs would be the place to test it. The upside of using Azure would be that if you need to delete the VM or the environment you can easily do that and deploy a fresh one. The ability to isolate VMs from one another or allow them to communicate would also be good for testing how things spread but with the ability to limit traffic to a single Vnet you could actually contain any tests.