Analyzing Malicious PDF with peepdf

When to Use

• When triaging suspicious PDF attachments from phishing emails
• During malware analysis of PDF-based exploit documents
• When extracting embedded JavaScript, shellcode, or executables from PDFs
• For forensic examination of weaponized document artifacts
• When building detection signatures for PDF-based threats

Prerequisites

• Python 3.8+ with peepdf-3 installed (pip install peepdf-3)
• pdfid.py and pdf-parser.py from Didier Stevens suite
• Isolated analysis environment (VM or sandbox)
• Optional: PyV8 for JavaScript emulation within peepdf
• Optional: Pylibemu for shellcode analysis

Workflow