This repository contains two powerful tools for security analysis:
- Malicious PDF Analyzer
- File Analysis and VirusTotal Integration Tool
- VirusTotal IOC Analyzer
A Python script that analyzes potentially malicious PDF files and extracts embedded binary data. This tool provides valuable insights into the structure and content of suspicious PDF files, helping security researchers and analysts identify potential threats.
- Analyzes PDF files for various indicators of malicious content
- Extracts embedded binary files from PDFs
- Generates a comprehensive analysis report
- Calculates MD5 checksum of the PDF file
- Detects embedded JavaScript
- Counts occurrences of binary data, objects, streams, and comments
- Checks for the presence of URIs
- Identifies potential errors or suspicious elements
- Python 3.x
- PyPDF2 library
-
Clone this repository: git clone https://github.com/malwaredev/malicious-pdf-analyzer.git
-
Install the required dependencies: pip install PyPDF2
-
Replace
'path/to/your/pdf/file.pdf'in the script with the actual path to your PDF file. -
Run the script: python pdf_analyzer.py
-
The script will generate two output files in the current directory:
pdf_analysis_output.txt: Contains the detailed analysis reportextracted_binary_data.bin: Contains any extracted binary data from the PDF (if present)
The analysis report includes the following information:
- File name
- MD5 checksum
- File size
- Presence of embedded JavaScript
- Count of binary data occurrences
- Number of objects
- Number of streams
- Presence of URIs
- Number of comments
- List of potential errors or suspicious elements
This script is intended for use by security professionals and researchers. Always handle potentially malicious files with care and in a secure, isolated environment.
Contributions, issues, and feature requests are welcome. Feel free to check issues page if you want to contribute.
================================================================================================================================================================================================
A powerful PowerShell script for comprehensive file analysis and VirusTotal integration, designed for security professionals and researchers.
- Calculate multiple hash algorithms (MD5, SHA1, SHA256, SHA384, SHA512) for files
- Check file hashes against VirusTotal
- Upload files to VirusTotal
- Retrieve detailed file information from VirusTotal
- Process individual files or entire folders
- Monitor folders for new files
- Combine log files in text or JSON format
- PowerShell 5.1 or later
- VirusTotal API key
- Clone this repository or download the script file.
- Open PowerShell and navigate to the script directory.
- Run the script: ```powershell
.\VirusTotal_Folder_Monitor.ps1 - Follow the prompts to:
Enter the path of the file or folder to analyze Choose hash algorithms Provide your VirusTotal API key Select verbose output option
Main Functions Get-MultipleFileHashes: Calculates multiple hash algorithms for a file Check-VirusTotal: Checks a file hash on VirusTotal Upload-To-VirusTotal: Uploads a file to VirusTotal Get-AdditionalFileInfo: Retrieves additional file information from VirusTotal Process-Files: Processes files in a folder, calculating hashes and checking VirusTotal Monitor-Folder: Monitors a folder for new files and processes them Combine-LogFiles: Combines multiple log files into a single file (text or JSON format) Log Files The script generates two types of log files: Hash log: Contains file hashes VirusTotal log: Contains VirusTotal analysis results Log files are saved on the desktop with timestamps in the filename.
Notes Be cautious when uploading files to VirusTotal, as they become publicly accessible. Respect VirusTotal's API usage limits and terms of service. This script is intended for use by security professionals and researchers. Always handle potentially malicious files with care and in a secure, isolated environment.
Contributions, issues, and feature requests are welcome. Feel free to check issues page if you want to contribute.
=====================================================================================================================================================
This Python script analyzes Indicators of Compromise (IOCs) using the VirusTotal API. It processes various types of IOCs including file hashes, IP addresses, URLs, and domain names. The script generates comprehensive reports in both CSV and JSON formats, providing detailed analysis and statistics about the submitted IOCs.
- Supports multiple IOC types: File hashes (MD5, SHA1, SHA256, SHA512), IP addresses, URLs, and domain names
- Batch processing of IOCs to optimize API usage
- Option to remove duplicates from input
- Option to consolidate results for different checksums of the same file
- Retrieves YARA rule names for more accurate threat identification
- Generates color-coded detection results
- Performs statistical analysis on the results
- Conducts text-based clustering analysis for domains and URLs
- Analyzes IP ranges to identify related infrastructure
- Outputs detailed CSV and JSON reports
- Python 3.6+
- Required Python packages:
- requests
- pandas
- numpy
- scikit-learn
-
Clone the repository:
git clone https://github.com/yourusername/virustotal-ioc-analyzer.git cd virustotal-ioc-analyzer -
Install the required libraries:
pip install pandas numpy scikit-learn requests
-
Prepare your IOC file:
- The IOC file should be a tab-separated values (TSV) file with two columns: the IOC type and the IOC value.
- Example:
FileHash-SHA256 d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2 IPv4 192.168.1.1 URL http://example.com domain example.com
-
Run the script:
python VT_IOC_Analyzer.py
-
Follow the prompts:
- Enter the path to your IOC file
- Provide your VirusTotal API key
- Choose whether to remove duplicates
- Decide if you want to consolidate results for different checksums of the same file
- The script will process the IOCs and generate two output files:
ioc_report.csv: A CSV file containing detailed results for each IOCioc_analysis_report.json: A JSON file with comprehensive analysis including statistics and clustering results
The CSV report includes the following information for each IOC:
- IOC value
- IOC type
- Detection count
- Color-coded risk level
- Country
- ASN
- First seen date
- Last seen date
- Threat name (based on YARA rules)
- File name (for file hashes)
- File type
The JSON report contains:
- Statistical analysis of all IOCs
- Text-based clustering analysis for domains and URLs
- IP range analysis
- Raw results for each IOC
- This script requires a VirusTotal API key. You can obtain one by signing up at VirusTotal.
- Be mindful of VirusTotal's API usage limits. The script implements rate limiting to comply with these restrictions.
Output:
Acknowledgments VirusTotal for providing the API to analyze IOCs. scikit-learn for providing the tools for clustering analysis. pandas and numpy for data manipulation and analysis.
Contributing Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes. License This project is licensed under the MIT License. See the LICENSE file for details.