analyzing-malicious-pdf-with-peepdf
Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
What this skill does
# Analyzing Malicious PDF with peepdf ## When to Use - When triaging suspicious PDF attachments from phishing emails - During malware analysis of PDF-based exploit documents - When extracting embedded JavaScript, shellcode, or executables from PDFs - For forensic examination of weaponized document artifacts - When building detection signatures for PDF-based threats ## Prerequisites - Python 3.8+ with peepdf-3 installed (pip install peepdf-3) - pdfid.py and pdf-parser.py from Didier Stevens suite - Isolated analysis environment (VM or sandbox) - Optional: PyV8 for JavaScript emulation within peepdf - Optional: Pylibemu for shellcode analysis ## Workflow 1. **Triage with pdfid**: Scan PDF for suspicious keywords (/JS, /JavaScript, /OpenAction, /Launch, /EmbeddedFile). 2. **Interactive Analysis**: Open PDF in peepdf interactive mode to explore object structure. 3. **Identify Suspicious Objects**: Locate objects containing JavaScript, streams, or encoded data. 4. **Extract Content**: Dump suspicious streams and decode filters (FlateDecode, ASCIIHexDecode). 5. **Deobfuscate JavaScript**: Analyze extracted JS for shellcode, heap sprays, or exploit code. 6. **Check VirusTotal**: Use peepdf vtcheck to cross-reference file hash with AV detections. 7. **Generate IOCs**: Extract URLs, domains, hashes, and shellcode signatures. ## Key Concepts | Concept | Description | |---------|-------------| | /OpenAction | Automatic action executed when PDF is opened | | /JavaScript /JS | Embedded JavaScript code in PDF objects | | /Launch | Action that launches external applications | | /EmbeddedFile | File embedded within the PDF structure | | FlateDecode | zlib compression filter used to hide content | | Object Streams | PDF objects stored in compressed streams | ## Tools & Systems | Tool | Purpose | |------|---------| | peepdf / peepdf-3 | Interactive PDF analysis with JS emulation | | pdfid.py | Quick triage scanning for suspicious keywords | | pdf-parser.py | Deep object-level PDF parsing | | VirusTotal | Hash lookup and AV detection cross-reference | | CyberChef | Decode and transform extracted payloads | ## Output Format ``` Analysis Report: PDF-MAL-[DATE]-[SEQ] File: [filename.pdf] SHA-256: [hash] Suspicious Keywords: [/JS, /OpenAction, etc.] Objects with JavaScript: [Object IDs] Extracted URLs: [List] Shellcode Detected: [Yes/No] Embedded Files: [Count and types] VirusTotal Detections: [X/Y engines] Risk Level: [Critical/High/Medium/Low] ```
Related in Writing & Docs
jax-development
IncludedUse this skill when the user is writing, debugging, profiling, refactoring, reviewing, benchmarking, parallelising, exporting, or explaining JAX code, or when they mention JAX, jax.numpy, jit, grad, value_and_grad, vmap, scan, lax, random keys, pytrees, jax.Array, sharding, Mesh, PartitionSpec, NamedSharding, pmap, shard_map, Pallas, XLA, StableHLO, checkify, profiler, or the JAX repo. It helps turn NumPy or PyTorch-style code into pure functional JAX, fix tracer/control-flow/shape/PRNG bugs, remove recompiles and host-device syncs, choose transforms and sharding strategies, inspect jaxpr/lowering/IR, and benchmark compiled code correctly.
nature-article-writer
IncludedDrafts, rewrites, diagnostically critiques, and style-calibrates primary research manuscripts for Nature and Nature Portfolio journals. Use when the user wants a Nature-style title, summary paragraph or abstract, introduction, results, discussion, methods, figure legends, presubmission enquiry, cover letter, reviewer response, or when a scientific draft sounds generic, jargon-heavy, structurally weak, or AI-ish and needs precise, broad-reader-friendly prose without inventing data, analyses, or references. Best for primary research articles and letters rather than reviews or press releases unless explicitly adapting one.
deckrd
IncludedDocument-driven framework that derives requirements, specifications, implementation plans, and executable tasks from goals through structured AI dialogue. Use when user says "write requirements", "create spec", "plan implementation", "derive tasks", "structure this feature", "break down into tasks", or "document this module". Also use for reverse engineering existing code into docs (/deckrd rev). Do NOT use for direct code writing — use /deckrd-coder after tasks are generated. Do NOT use when the user only wants to run or fix existing code without planning.
clinical-decision-support
IncludedGenerate professional clinical decision support (CDS) documents for pharmaceutical and clinical research settings, including patient cohort analyses (biomarker-stratified with outcomes) and treatment recommendation reports (evidence-based guidelines with decision algorithms). Supports GRADE evidence grading, statistical analysis (hazard ratios, survival curves, waterfall plots), biomarker integration, and regulatory compliance. Outputs publication-ready LaTeX/PDF format optimized for drug development, clinical research, and evidence synthesis.
handling-sf-data
IncludedSalesforce data operations with 130-point scoring. Use this skill to create, update, delete, bulk import/export, generate test data, and clean up org records using sf CLI and anonymous Apex. TRIGGER when: user creates test data, performs bulk import/export, uses sf data CLI commands, needs data factory patterns for Apex tests, or needs to seed/clean records in a Salesforce org. DO NOT TRIGGER when: SOQL query writing only (use querying-soql), Apex test execution (use running-apex-tests), or metadata deployment (use deploying-metadata).
accelint-ac-to-playwright
IncludedConvert and validate acceptance criteria for Playwright test automation. Use when user asks to (1) review/evaluate/check if AC are ready for automation, (2) assess if AC can be converted as-is, (3) validate AC quality for Playwright, (4) turn AC into tests, (5) generate tests from acceptance criteria, (6) convert .md bullets or .feature Gherkin files to Playwright specs, (7) create test automation from requirements. Handles both bullet-style markdown and Gherkin syntax with JSON test plan generation and validation.