Skip to content
PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
YARA Other
  1. YARA 99.0%
  2. Other 1.0%
Branch: master
Clone or download

Latest commit

Latest commit 2fb4eeb May 5, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
peframe fixed timeout on yara check Nov 7, 2019
README.rst Update README.rst May 5, 2020 Update Jul 9, 2019 Update Jul 3, 2019
requirements.txt peframe 6 Mar 4, 2019 Update Jul 3, 2019



peframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, macro and much more information about the suspicious files.



sudo apt install git
git clone
cd peframe

Installation script for Ubuntu

sudo bash

Installation (prerequisites required)

sudo python3 install


The following prerequisites are required to be installed on your system before you can install and use peframe.

python >= 3.6.6


peframe -h

peframe filename            Short output analysis
peframe -i filename         Interactive mode
peframe -j filename         Full output analysis JSON format
peframe -x STRING filename  Search xored string
peframe -s filename         Strings output


You can edit "config-peframe.json" file in "config" folder to configure virustotal API key. After installation you can use "peframe -h" to find api_config path.

How to work

MS Office (macro) document analysis with peframe 6.0.1

PE file analysis with peframe 6.0.1

Talk about...


This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at or twitter @guelfoweb. Suggestions and criticism are welcome.

You can’t perform that action at this time.