I wouldn't say it needs any code. Just an Inferred Country-based Segmentation that finds if a lead matches one of your Allowed Inferred Country values. Then the Landing Page either displays the download link or not.
This will not stop malicious users from hitting the direct link to the asset if they can find it out via other means. As @Josh points out the Inferred Country is not 100% reliable in that it can result in false positives (if someone uses a proxy server in another region, either maliciously or innocently) and false negatives (if the IP address-based database that Marketo uses is slightly off and classifies the IP incorrectly).
I don't know what export rules/regulations you're complying with or whether they are just internal policies (like you don't feel like doing currency conversions, non-English-language tech support, supporting time zones that are 17 hours off, etc.). I work in a tightly geographically-regulated industry and even for us, a good-faith effort like that described above will suffice -- as long as we do not knowingly advertise products to people that have said they are from a forbidden country, and have taken reasonable technical measures to guess their lead's locale, we can't be responsible if someone in a banned country maliciously or accidentally obtains a sales document. Of more concern to us is the false negative where we forbid people who are actually eligible. So we always give them a link where they can contact us in case they believe there was an error. And errors will happen: just because somebody is legitimately identified as connecting from a forbidden country says nothing about their residency/citizenship/certification, and in many cases it's the latter that really identifies their eligibility (in our industry, if someone is in Germany on business but is a US-licensed dealer we have to find some way of getting them documents).