Analyzing Malicious Pdf With Peepdf | Skills Pool
Analyzing Malicious Pdf With Peepdf Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
mukul975 4,535 星标 2026年4月6日 When to Use
When triaging suspicious PDF attachments from phishing emails
During malware analysis of PDF-based exploit documents
When extracting embedded JavaScript, shellcode, or executables from PDFs
For forensic examination of weaponized document artifacts
When building detection signatures for PDF-based threats
Prerequisites
Python 3.8+ with peepdf-3 installed (pip install peepdf-3)
pdfid.py and pdf-parser.py from Didier Stevens suite
Isolated analysis environment (VM or sandbox)
Optional: PyV8 for JavaScript emulation within peepdf
Optional: Pylibemu for shellcode analysis
Workflow
Triage with pdfid : Scan PDF for suspicious keywords (/JS, /JavaScript, /OpenAction, /Launch, /EmbeddedFile).Interactive Analysis : Open PDF in peepdf interactive mode to explore object structure.Identify Suspicious Objects : Locate objects containing JavaScript, streams, or encoded data.
快速安装
Analyzing Malicious Pdf With Peepdf npx skills add mukul975/Anthropic-Cybersecurity-Skills
星标 4,535
更新时间 2026年4月6日
职业
Extract Content : Dump suspicious streams and decode filters (FlateDecode, ASCIIHexDecode).
Deobfuscate JavaScript : Analyze extracted JS for shellcode, heap sprays, or exploit code.
Check VirusTotal : Use peepdf vtcheck to cross-reference file hash with AV detections.
Generate IOCs : Extract URLs, domains, hashes, and shellcode signatures.
Key Concepts Concept Description /OpenAction Automatic action executed when PDF is opened /JavaScript /JS Embedded JavaScript code in PDF objects /Launch Action that launches external applications /EmbeddedFile File embedded within the PDF structure FlateDecode zlib compression filter used to hide content Object Streams PDF objects stored in compressed streams
Tool Purpose peepdf / peepdf-3 Interactive PDF analysis with JS emulation pdfid.py Quick triage scanning for suspicious keywords pdf-parser.py Deep object-level PDF parsing VirusTotal Hash lookup and AV detection cross-reference CyberChef Decode and transform extracted payloads
Analysis Report: PDF-MAL-[DATE]-[SEQ]
File: [filename.pdf]
SHA-256: [hash]
Suspicious Keywords: [/JS, /OpenAction, etc.]
Objects with JavaScript: [Object IDs]
Extracted URLs: [List]
Shellcode Detected: [Yes/No]
Embedded Files: [Count and types]
VirusTotal Detections: [X/Y engines]
Risk Level: [Critical/High/Medium/Low]
02
Prerequisites