Skill

analyzing-malicious-pdf-with-peepdf

Analyzes malicious PDFs using peepdf, pdfid, and pdf-parser to extract JavaScript, shellcode, suspicious objects, and IOCs for malware triage and forensics.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When triaging suspicious PDF attachments from phishing emails

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Analyzing Malicious PDF with peepdf

When to Use

When triaging suspicious PDF attachments from phishing emails
During malware analysis of PDF-based exploit documents
When extracting embedded JavaScript, shellcode, or executables from PDFs
For forensic examination of weaponized document artifacts
When building detection signatures for PDF-based threats

Prerequisites

Python 3.8+ with peepdf-3 installed (pip install peepdf-3)
pdfid.py and pdf-parser.py from Didier Stevens suite
Isolated analysis environment (VM or sandbox)
Optional: PyV8 for JavaScript emulation within peepdf
Optional: Pylibemu for shellcode analysis

Workflow

Triage with pdfid: Scan PDF for suspicious keywords (/JS, /JavaScript, /OpenAction, /Launch, /EmbeddedFile).
Interactive Analysis: Open PDF in peepdf interactive mode to explore object structure.
Identify Suspicious Objects: Locate objects containing JavaScript, streams, or encoded data.
Extract Content: Dump suspicious streams and decode filters (FlateDecode, ASCIIHexDecode).
Deobfuscate JavaScript: Analyze extracted JS for shellcode, heap sprays, or exploit code.
Check VirusTotal: Use peepdf vtcheck to cross-reference file hash with AV detections.
Generate IOCs: Extract URLs, domains, hashes, and shellcode signatures.

Key Concepts

Concept	Description
/OpenAction	Automatic action executed when PDF is opened
/JavaScript /JS	Embedded JavaScript code in PDF objects
/Launch	Action that launches external applications
/EmbeddedFile	File embedded within the PDF structure
FlateDecode	zlib compression filter used to hide content
Object Streams	PDF objects stored in compressed streams

Tools & Systems

Tool	Purpose
peepdf / peepdf-3	Interactive PDF analysis with JS emulation
pdfid.py	Quick triage scanning for suspicious keywords
pdf-parser.py	Deep object-level PDF parsing
VirusTotal	Hash lookup and AV detection cross-reference
CyberChef	Decode and transform extracted payloads

Output Format

Analysis Report: PDF-MAL-[DATE]-[SEQ]
File: [filename.pdf]
SHA-256: [hash]
Suspicious Keywords: [/JS, /OpenAction, etc.]
Objects with JavaScript: [Object IDs]
Extracted URLs: [List]
Shellcode Detected: [Yes/No]
Embedded Files: [Count and types]
VirusTotal Detections: [X/Y engines]
Risk Level: [Critical/High/Medium/Low]