CG
SkillsAnalyzing Malicious PDF with peepdf
Start Free
Back to Skills Library
Malware Analysis🔴 Advanced

Analyzing Malicious PDF with peepdf

Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.

3 min read1 code examples

Prerequisites

  • Python 3.8+ with peepdf-3 installed (pip install peepdf-3)
  • pdfid.py and pdf-parser.py from Didier Stevens suite
  • Isolated analysis environment (VM or sandbox)
  • Optional: PyV8 for JavaScript emulation within peepdf
  • Optional: Pylibemu for shellcode analysis

Analyzing Malicious PDF with peepdf

When to Use

  • When triaging suspicious PDF attachments from phishing emails
  • During malware analysis of PDF-based exploit documents
  • When extracting embedded JavaScript, shellcode, or executables from PDFs
  • For forensic examination of weaponized document artifacts
  • When building detection signatures for PDF-based threats

Prerequisites

  • Python 3.8+ with peepdf-3 installed (pip install peepdf-3)
  • pdfid.py and pdf-parser.py from Didier Stevens suite
  • Isolated analysis environment (VM or sandbox)
  • Optional: PyV8 for JavaScript emulation within peepdf
  • Optional: Pylibemu for shellcode analysis

Workflow

  1. Triage with pdfid: Scan PDF for suspicious keywords (/JS, /JavaScript, /OpenAction, /Launch, /EmbeddedFile).
  2. Interactive Analysis: Open PDF in peepdf interactive mode to explore object structure.
  3. Identify Suspicious Objects: Locate objects containing JavaScript, streams, or encoded data.
  4. Extract Content: Dump suspicious streams and decode filters (FlateDecode, ASCIIHexDecode).
  5. Deobfuscate JavaScript: Analyze extracted JS for shellcode, heap sprays, or exploit code.
  6. Check VirusTotal: Use peepdf vtcheck to cross-reference file hash with AV detections.
  7. Generate IOCs: Extract URLs, domains, hashes, and shellcode signatures.

Key Concepts

ConceptDescription
/OpenActionAutomatic action executed when PDF is opened
/JavaScript /JSEmbedded JavaScript code in PDF objects
/LaunchAction that launches external applications
/EmbeddedFileFile embedded within the PDF structure
FlateDecodezlib compression filter used to hide content
Object StreamsPDF objects stored in compressed streams

Tools & Systems

ToolPurpose
peepdf / peepdf-3Interactive PDF analysis with JS emulation
pdfid.pyQuick triage scanning for suspicious keywords
pdf-parser.pyDeep object-level PDF parsing
VirusTotalHash lookup and AV detection cross-reference
CyberChefDecode and transform extracted payloads

Output Format

Analysis Report: PDF-MAL-[DATE]-[SEQ]
File: [filename.pdf]
SHA-256: [hash]
Suspicious Keywords: [/JS, /OpenAction, etc.]
Objects with JavaScript: [Object IDs]
Extracted URLs: [List]
Shellcode Detected: [Yes/No]
Embedded Files: [Count and types]
VirusTotal Detections: [X/Y engines]
Risk Level: [Critical/High/Medium/Low]

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC7.2 (Anomaly Detection), CC7.4 (Incident Response)
  • ISO 27001: A.12.2 (Malware Protection), A.16.1 (Security Incident Management)
  • NIST 800-53: SI-3 (Malicious Code Protection), IR-4 (Incident Handling)
  • NIST CSF: DE.CM (Continuous Monitoring), RS.AN (Analysis)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add analyzing-malicious-pdf-with-peepdf

# Or load dynamically via MCP
grc.load_skill("analyzing-malicious-pdf-with-peepdf")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add analyzing-malicious-pdf-with-peepdf
// Or via MCP
grc.load_skill("analyzing-malicious-pdf-with-peepdf")

Tags

malware-analysispdfpeepdfpdfidpdf-parserstatic-analysisreverse-engineeringdfir

Related Skills

Malware Analysis

Analyzing Golang Malware with Ghidra

5m·advanced
Malware Analysis

Performing Memory Forensics with Volatility3 Plugins

3m·advanced
Malware Analysis

Reverse Engineering Ransomware Encryption Routine

5m·advanced
Malware Analysis

Reverse Engineering Rust Malware

3m·advanced
Malware Analysis

Analyzing Android Malware with Apktool

3m·intermediate
Malware Analysis

Performing Static Malware Analysis with PE Studio

7m·intermediate

Skill Details

Domain
Malware Analysis
Difficulty
advanced
Read Time
3 min
Code Examples
1

On This Page

When to UsePrerequisitesWorkflowKey ConceptsTools & SystemsOutput FormatVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →