/peframe

PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

Primary LanguageYARA

peframe

peframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, macro and much more information about the suspicious files.

Install

Download

sudo apt install git
git clone https://github.com/guelfoweb/peframe.git
cd peframe

Installation script for Ubuntu

sudo bash install.sh

Installation (prerequisites required)

sudo python3 setup.py install

Prerequisites

The following prerequisites are required to be installed on your system before you can install and use peframe.

python >= 3.6.6
pyton3-pip
libssl-dev
swig

Usage

peframe -h

peframe filename            Short output analysis
peframe -i filename         Interactive mode
peframe -j filename         Full output analysis JSON format
peframe -x STRING filename  Search xored string
peframe -s filename         Strings output

Note

You can edit "config-peframe.json" file in "config" folder to configure virustotal API key. After installation you can use "peframe -h" to find api_config path.

How to work

MS Office (macro) document analysis with peframe 6.0.1

PE file analysis with peframe 6.0.1

Talk about...

Other

This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome.