Malware-analysis-claude-skills malware-analysis
Orchestrate the complete malware analysis lifecycle across triage, dynamic analysis, detection engineering, and report writing. Use as the single entry point for any malware analysis task — routes to specialized sub-skills by file type and phase, carries findings between phases, and supports multi-sample batch workflows.
install
source · Clone the upstream repo
git clone https://github.com/gl0bal01/malware-analysis-claude-skills
Claude Code · Install into ~/.claude/skills/
git clone --depth=1 https://github.com/gl0bal01/malware-analysis-claude-skills ~/.claude/skills/gl0bal01-malware-analysis-claude-skills-malware-analysis
manifest:
SKILL.mdsource content
Malware Analysis Orchestrator
Single entry point for malware analysis engagements. Routes to specialized sub-skills, carries findings between phases, and manages multi-sample workflows.
How This Works
You describe what you need — "analyze this sample", "I have 5 files to triage", "create detection rules from my findings" — and this orchestrator:
- Determines which sub-skill to use based on your file type and intent
- Guides you through the analysis using that sub-skill
- Records findings in a state file (
)analysis_state.md - Recommends the next phase when the current one completes
- Waits for your confirmation before proceeding
You never need to invoke sub-skills directly.
Routing Logic
| Signal | Routes To |
|---|---|
| Unknown file / "what is this?" / initial assessment | |
| PE executable after triage, needing behavior monitoring | |
| .NET / Office / PDF / script / archive / LNK / ELF / HTA / ISO / IMG / VHD / VHDX | |
| "Create detection rules" / post-analysis phase | |
| "Write the report" / final documentation phase | |
| YARA rules specifically | |
Triage is always the entry point for new samples. The table above describes which analysis skill follows triage.
File Type Priority Order
When routing by file type, use the
file- "Mono/.Net assembly" → read and follow
specialized-file-analyzer/SKILL.md - "Microsoft Office Document" → read and follow
specialized-file-analyzer/SKILL.md - "PDF document" → read and follow
specialized-file-analyzer/SKILL.md - "ELF" → read and follow
specialized-file-analyzer/SKILL.md - "PE32" / "PE64" (only if .NET was NOT matched) → read and follow
, thenmalware-triage/SKILL.mdmalware-dynamic-analysis/SKILL.md - "MS Windows shortcut" (LNK) → read and follow
specialized-file-analyzer/SKILL.md - ASCII text / script content → read and follow
specialized-file-analyzer/SKILL.md - Archive formats (Zip, RAR, 7z) → read and follow
specialized-file-analyzer/SKILL.md - HTML Application (.hta) → read and follow
specialized-file-analyzer/SKILL.md - ISO/IMG disk images → read and follow
(mount/extract, then analyze contents)specialized-file-analyzer/SKILL.md - VHD/VHDX virtual hard disks → read and follow
(mount/extract, then analyze contents)specialized-file-analyzer/SKILL.md - "data" / zero-byte / unrecognized → read and follow
for manual assessmentmalware-triage/SKILL.md
.NET is the key ambiguity:
filePhase Sequence
Each sample follows this sequence:
Triage → [Dynamic Analysis OR Specialized File Analysis] → Detection Engineering → Report Writing
- Triage is always first — read and follow
malware-triage/SKILL.md - Dynamic analysis for PE executables — read and follow
malware-dynamic-analysis/SKILL.md - Specialized file analysis for non-PE files (.NET, Office, PDF, scripts, archives, LNK, ELF) — read and follow
specialized-file-analyzer/SKILL.md - Detection engineering consolidates IOCs into Sigma/Suricata rules — read and follow
detection-engineer/SKILL.md - Report writing is always last — read and follow
malware-report-writer/SKILL.md
Phase Transitions (Suggest-Next Mode)
After each phase completes:
- Summarize what was found in the current phase
- Update
with findings and IOCsanalysis_state.md - Recommend the next skill with reasoning based on findings
- Wait for user confirmation before proceeding
Never auto-chain phases. Every transition requires user confirmation.
VM Isolation Boundary
Before dynamic analysis, explicitly remind the user:
"The next phase requires executing the sample in your isolated VM (REMnux/FlareVM). Please:
- Execute the sample with monitoring tools running (Procmon, Wireshark, System Informer (formerly Process Hacker), Sysmon)
- Observe for at least 15 minutes
- Export evidence in text-parseable formats (CSV, JSON, TXT — not PML, PCAP, EVTX)
- Return here with the exported evidence files
I'll analyze the evidence when you're back."
State File: analysis_state.md
analysis_state.mdCreated in the user's working directory (not this skill repo) when the first sample is provided. Updated after each phase.
Structure
# Malware Analysis — [Engagement Name/Date] **Analyst:** [name] **Started:** [date] **Status:** [In Progress / Complete] --- ## Samples ### Sample 1: [filename] - **File Type:** [type] - **MD5:** [hash] - **SHA1:** [hash] - **SHA256:** [hash] - **Size:** [bytes] - **Priority:** [Immediate / Standard / Low] - **Classification:** [Trojan / Ransomware / etc. or Pending] - **Threat Level:** [Critical / High / Medium / Low or Pending] - **Current Phase:** [Triage / Dynamic Analysis / Specialized Analysis / Detection / Reporting / Complete / Benign] #### Triage Findings - [findings appended after triage phase] #### Analysis Findings - [findings appended after dynamic/specialized analysis] #### IOCs Identified - [accumulated IOCs, defanged] #### Detection Rules Created - [list of rules created and their locations] --- ## Next Steps - [orchestrator's recommendation for what to do next and why]
State File Rules
- Create when the user begins an engagement (first sample provided)
- Append findings after each phase — never overwrite previous findings
- Replace the "Next Steps" section at each transition (not append)
- Resume from state file if the user returns in a new conversation — read
to restore contextanalysis_state.md - All IOCs must be defanged at the point they are recorded to the state file, regardless of which phase produces them
Multi-Sample Batch Workflow
- Intake: Prompt for all known samples upfront — "How many samples do you have? Let's list them all before we begin."
- Batch triage: Quick triage pass on all samples (5-10 min each — hashes, file type, reputation check, classification per the triage skill's "Quick Triage" tier)
- Priority ranking: Rank samples as Immediate / Standard / Low based on triage findings
- Sequential deep analysis: Guide the user through deep analysis of high-priority samples one at a time, following the full phase sequence per sample
- State tracking: Update state file per-sample so the user can see which samples are triaged, analyzed, and reported
Conventions Enforced
- All IOCs in state files and reports must be defanged (
,hxxp://
,[.]com
)[@] - Reports always include all three hash types: MD5, SHA1, SHA256
- Evidence must be in text-parseable formats (CSV, JSON, TXT)
- Detection rules (YARA, Sigma, Suricata) must be tested before inclusion
- MITRE ATT&CK technique IDs must be tagged in Sigma rules
- Sigma rules require unique UUIDs
- Custom Suricata rules use SIDs starting at 1000000+
IOC Defanging Ownership
Each phase defangs IOCs before appending them to the state file. The
detection-engineerEdge Cases
- User wants to skip a phase: Allow it, note the skip in the state file, and proceed to the requested phase
- User provides evidence without explicit routing: Infer the phase from evidence type (Procmon CSV → dynamic analysis, Sysmon JSON → dynamic analysis, olevba output → specialized file analysis, etc.)
- Session restart: Read
to restore context and resume from the last recorded phaseanalysis_state.md - Single sample, known type: Skip batch triage and go directly to the appropriate skill
- User explicitly requests a specific sub-skill: Defer to the user's choice
- Benign sample: If triage determines a sample is clean/benign, mark its phase as
in the state file, note the reasoning, and move to the next sample. Do not proceed with further analysis phases.Benign - Unrecognized file type: If
output doesn't match any known routing pattern, default tofile
for manual assessment. Note the unknown type in the state file.malware-triage/SKILL.md - State file conflicts: If an existing
is found, ask whether to resume the existing engagement or start a new one (with a timestamped filename likeanalysis_state.md
)analysis_state_2026-03-15.md - Running from the skill repo: If the working directory appears to be this skill repository itself (contains
,malware-triage/
, etc. as subdirectories), warn the user and ask them to switch to their analysis workspace before creating a state filedetection-engineer/
Sub-Skill Reference
The orchestrator delegates to these sub-skills by reading their SKILL.md files at execution time:
| Sub-Skill | Path | Purpose |
|---|---|---|
| Malware Triage | | Rapid assessment, classification, prioritization |
| Dynamic Analysis | | Safe execution, behavior monitoring in isolated VMs |
| Specialized File Analyzer | | Non-PE file analysis (.NET, Office, PDF, scripts, archives, LNK, ELF) |
| Detection Engineer | | Sigma rules, Suricata rules, hunting queries, IOC defanging |
| Report Writer | | Professional reports, YARA rules, quality checklists |
When entering a phase, read the corresponding SKILL.md file and follow its instructions. Carry forward the accumulated state from previous phases.
MCP Server Integrations (Optional)
MCP servers can automate manual steps like hash lookups and IOC enrichment. If available, use them to accelerate the workflow — but they are not required.
See
references/mcp_integrations.md- VirusTotal MCP — automates hash/URL/domain reputation checks during triage
- Threat Intel MCP — unified access to MalwareBazaar, ThreatFox, AbuseIPDB, and GreyNoise for IOC validation