analyzing-malicious-pdf-with-peepdf
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/analyzing-malicious-pdf-with-peepdfExtract hidden payloads from suspicious PDFs for security triage.
- Reveals embedded JavaScript and shellcode in malicious documents.
- Depends on peepdf, pdfid, and pdf-parser tools.
- Flags suspicious objects based on keywords and structure.
- Outputs decoded streams and analysis reports.
SKILL.md
.github/skills/analyzing-malicious-pdf-with-peepdfView on GitHub ↗
--- name: analyzing-malicious-pdf-with-peepdf description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects. domain: cybersecurity subdomain: malware-analysis tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir] version: "1.0" author: mahipal license: Apache-2.0 --- # Analyzing Malicious PDF with peepdf ## When to Use - When triaging suspicious PDF attachments from phishing emails - During malware analysis of PDF-based exploit documents - When extracting embedded JavaScript, shellcode, or executables from PDFs - For forensic examination of weaponized document artifacts - When building detection signatures for PDF-based threats ## Prerequisites - Python 3.8+ with peepdf-3 installed (pip install peepdf-3) - pdfid.py and pdf-parser.py from Didier Stevens suite - Isolated analysis environment (VM or sandbox) - Optional: PyV8 for JavaScript emulation within peepdf - Optional: Pylibemu for shellcode analysis ## Workflow 1. **Triage with pdfid**: Scan PDF for suspicious keywords (/JS, /JavaScript, /OpenAction, /Launch, /EmbeddedFile). 2. **Interactive Analysis**: Open PDF in peepdf interactive mode to explore object structure. 3. **Identify Suspicious Objects**: Locate objects containing JavaScript, streams, or encoded data. 4. **Extract Content**: Dump suspicious streams and decode filters (FlateDecode, ASCIIHexDecode). 5. **Deobfuscate JavaScript**: Analyze extracted JS for shellcode, heap sprays, or exploit code. 6. **Check VirusTotal**: Use peepdf vtcheck to cross-reference file hash with AV detections. 7. **Generate IOCs**: Extract URLs, domains, hashes, and shellcode signatures. ## Key Concepts | Concept | Description | |---------|-------------| | /OpenAction | Automatic action executed when PDF is opened | | /JavaScript /JS | Embedded JavaScript code in PDF objects | | /Launch | Action that launches external applications | | /EmbeddedFile | File embedded within the PDF structure | | FlateDecode | zlib compression filter used to hide content | | Object Streams | PDF objects stored in compressed streams | ## Tools & Systems | Tool | Purpose | |------|---------| | peepdf / peepdf-3 | Interactive PDF analysis with JS emulation | | pdfid.py | Quick triage scanning for suspicious keywords | | pdf-parser.py | Deep object-level PDF parsing | | VirusTotal | Hash lookup and AV detection cross-reference | | CyberChef | Decode and transform extracted payloads | ## Output Format ``` Analysis Report: PDF-MAL-[DATE]-[SEQ] File: [filename.pdf] SHA-256: [hash] Suspicious Keywords: [/JS, /OpenAction, etc.] Objects with JavaScript: [Object IDs] Extracted URLs: [List] Shellcode Detected: [Yes/No] Embedded Files: [Count and types] VirusTotal Detections: [X/Y engines] Risk Level: [Critical/High/Medium/Low] ```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.