Malware Analysis Skills - Complete Toolkit

Complete Claude skills package covering every phase of malware analysis from initial triage to production-ready detection rules.

💡 Want to learn the manual analysis techniques behind these skills? Check out the comprehensive Malware Analysis SOP covering traditional analysis methods and tools.

---

📦 What's Included

5 Specialized Skills covering the complete malware analysis lifecycle:

1. malware-triage - Initial assessment and prioritization
2. malware-dynamic-analysis - Safe execution and behavior monitoring
3. specialized-file-analyzer - Non-PE file analysis (.NET, Office, PDF, scripts)
4. detection-engineer - Detection rules and IOC management
5. malware-report-writer - Professional report creation

---

🎯 Quick Skill Selector

Not sure which skill to use? Use this decision tree:

START: What do you need to do?

├─ "I need to quickly assess a sample" → Use: malware-triage
│
├─ "I need to execute malware safely and monitor it" → Use: malware-dynamic-analysis
│
├─ "I have a document/script/non-executable" → Use: specialized-file-analyzer
│  ├─ .NET/C# assembly (.exe with .NET)
│  ├─ Office document with macros (.docm, .xlsm)
│  ├─ PDF file
│  ├─ PowerShell/VBS/JavaScript
│  ├─ Archive (.zip, .rar, .7z)
│  ├─ Linux binary (ELF)
│  └─ Shortcut file (.lnk)
│
├─ "I need to create detection rules or defang IOCs" → Use: detection-engineer
│  ├─ YARA rules → Use: malware-report-writer
│  ├─ Sigma rules (SIEM) → Use: detection-engineer
│  ├─ Suricata rules (IDS) → Use: detection-engineer
│  └─ Defang IOCs → Use: detection-engineer
│
└─ "I need to write a malware analysis report" → Use: malware-report-writer

---

📊 Skills Comparison Matrix

Skill Name	When to Use	Primary Output
malware-triage	First look at unknown sample	Classification, priority, initial IOCs
malware-dynamic-analysis	Execute and monitor behavior	Behavioral IOCs, process tree, network traffic
specialized-file-analyzer	Non-PE files (docs, scripts, etc.)	Deobfuscated code, embedded payloads, IOCs
detection-engineer	Create detection rules, defang IOCs	Sigma/Suricata rules, hunting queries
malware-report-writer	Document findings professionally	Complete technical report, YARA rules

---

🚀 Getting Started

Installation (2 minutes)

1. Upload Skills to Claude

   • Open Claude (claude.ai)
   • Click paperclip icon (📎)
   • Upload all 5 .skill folders or individual SKILL.md files
   • Skills install automatically

2. Verify Installation

   Ask Claude: "What skills do you have?"
   Should list: malware-triage, malware-dynamic-analysis, etc.
   

3. Start Analyzing

   "Help me triage this suspicious .exe file"
   "Guide me through safely executing this malware"
   "Analyze this Office document with macros"
   

---

🔐 Using with REMnux/FlareVM (Offline Analysis)

The Offline Challenge

Problem: Malware analysis VMs should be isolated with NO internet, but Claude Code requires internet.

Solution: Run Claude Code on your HOST machine, analyze exported evidence from isolated VMs.

Network Architecture

┌─────────────────────────────────────────────────────┐
│  HOST MACHINE (Internet-connected)                  │
│  • Claude Code running here                         │
│  • Skills loaded and ready                          │
│  • Analyzes exported evidence                       │
│  • Creates reports and detection rules              │
└──────────────────┬──────────────────────────────────┘
                   │
                   │ Evidence Transfer:
                   │ • Shared folder (read-only)
                   │ • USB drive
                   │ • Isolated network file share
                   │
┌──────────────────▼──────────────────────────────────┐
│  ANALYSIS VM (Isolated - NO Internet)               │
│  REMnux / FlareVM                                   │
│  • Execute malware here                             │
│  • Run monitoring tools                             │
│  • Capture evidence                                 │
│  • Export results only                              │
└─────────────────────────────────────────────────────┘

Recommended Directory Structure

Set up on your HOST machine:

/malware-analysis/
├── samples/              # Store original samples (DO NOT share with VM)
├── evidence/             # Evidence exported FROM analysis VM
│   ├── strings/          # strings output
│   ├── procmon/          # Process Monitor logs (CSV)
│   ├── wireshark/        # Network captures (text exports)
│   ├── sysmon/           # Sysmon event logs (JSON/CSV)
│   ├── memory/           # Memory dump analysis results
│   └── screenshots/      # Behavior screenshots
├── analysis/             # Claude Code analysis workspace
│   ├── notes.md
│   └── findings.md
├── detections/           # Detection rules created by Claude Code
│   ├── yara/
│   ├── sigma/
│   └── suricata/
└── reports/              # Final deliverables
    └── malware_report.md

Complete Workflow

Phase 1: Setup (One-time)

On Analysis VM (REMnux/FlareVM):

# Configure shared folder or USB mount point
mkdir /mnt/evidence_export
# Make it write-only if possible

On Host Machine:

# Create analysis structure
mkdir -p /malware-analysis/{evidence,analysis,detections,reports}
cd /malware-analysis

Phase 2: Pre-Analysis (Claude Code on Host)

# Use malware-triage skill
"Help me prepare for analyzing a suspected ransomware sample"
"What Procmon filters should I configure for ransomware?"
"What Wireshark display filters should I use for C2 traffic?"
"What Sysmon events should I focus on for persistence?"

Claude Code will guide you through:

• Tool configuration commands
• Filter setup
• Monitoring checklist

Phase 3: Execution (Manual on Analysis VM)

In your Analysis VM terminal:

# 1. Take snapshot
virsh snapshot-create malware-analysis-vm

# 2. Start monitoring tools
# - Procmon (with filters from Claude)
# - Wireshark
# - Process Hacker
# - Regshot (1st shot)

# 3. Execute malware
./malware.exe

# 4. Monitor for 15+ minutes

# 5. Stop all captures

# 6. Export evidence to shared folder
cp procmon_filtered.csv /mnt/evidence_export/
cp wireshark_http.txt /mnt/evidence_export/
wevtutil epl Microsoft-Windows-Sysmon/Operational /mnt/evidence_export/sysmon.evtx
# Convert to CSV or JSON for easier analysis

# 7. Take screenshots of any unusual behavior

# 8. Revert to snapshot
virsh snapshot-revert malware-analysis-vm <snapshot-name>

Phase 4: Analysis (Claude Code on Host)

Now use Claude Code with your skills:

4a. Triage the Evidence:

cd /malware-analysis/evidence

# In Claude Code:
"Triage this sample based on the evidence I've collected"
Read procmon/malware_activity.csv
Read wireshark/http_traffic.txt
Read sysmon/events.json

"What type of malware is this?"
"What are the key IOCs?"
"What persistence mechanisms were used?"

4b. Deep Analysis:

# Use specialized-file-analyzer if needed
"Analyze this PowerShell script extracted from memory"
Read evidence/memory/decoded_script.ps1

# Use malware-dynamic-analysis skill
"Analyze this Procmon output for ransomware encryption behavior"
"What C2 infrastructure was contacted based on this network capture?"

4c. Create Detections:

# Use detection-engineer skill
"Create Sigma rules for this malware based on the Sysmon events"
Read evidence/sysmon/events.csv

"Create a Suricata rule for this C2 traffic"
Read evidence/wireshark/c2_communication.txt

"Defang all these IOCs for my report"
# Claude will create rules in detections/ folder

4d. Write Report:

# Use malware-report-writer skill
"Create a complete malware analysis report based on my findings"
"Include these Procmon behaviors: [paste key findings]"
"Network indicators: [paste from Wireshark]"
"Persistence mechanisms: [paste from Sysmon]"

# Claude will generate the full report in reports/

What Claude Code CAN and CANNOT Do

✅ Claude Code WILL Help With:

Analysis of Tool Outputs:

• Read and interpret Procmon CSV exports
• Analyze Wireshark text exports (HTTP objects, DNS queries)
• Parse Sysmon event logs (CSV/JSON)
• Interpret strings output
• Analyze PE header info from tools
• Review memory dump analysis results

Tool Setup Guidance:

• Procmon filter configuration
• Wireshark display filters
• Sysmon config recommendations
• INetSim/FakeNet setup
• VM isolation verification

Detection Creation:

• YARA rules from your findings
• Sigma rules from Sysmon events
• Suricata rules from network captures
• Hunting queries for EDR/SIEM
• IOC defanging and formatting

Report Writing:

• Complete malware analysis reports
• Executive summaries
• Technical documentation
• IOC lists with context
• Remediation recommendations

❌ Claude Code WILL NOT:

Execute Malware:

• Won't run ./malware.exe
• Won't help improve malware code
• Won't make malware more evasive

Read Raw Binaries Directly:

• Won't directly analyze PE/ELF files
• Use tools first (strings, objdump, etc.)
• Then have Claude analyze the output

Practical Example Session

# ===== On Analysis VM (Manual) =====
analyst@remnux:~$ strings malware.exe > /mnt/export/strings.txt
analyst@remnux:~$ objdump -d malware.exe > /mnt/export/disasm.txt
analyst@remnux:~$ # Execute malware with monitoring
analyst@remnux:~$ cp evidence/* /mnt/export/

# ===== On Host (Claude Code) =====
you@host:~$ cd /malware-analysis/evidence
you@host:~$ # In Claude Code session:

> "Help me triage this sample"
> Read strings.txt
> Read procmon_export.csv

Claude: "Based on the evidence, this appears to be a remote access
trojan (RAT). Key indicators:
- Network connection to 185.220.101.x:4444
- Registry persistence via Run key
- Process injection into explorer.exe
- Keylogging behavior (GetAsyncKeyState calls)
..."

> "Create detection rules for this RAT"

Claude: [Creates YARA rule, Sigma rule, Suricata rule]

> "Write the complete analysis report"

Claude: [Generates full professional report]

Pro Tips

1. Export Evidence in Text Formats:

   • Procmon → CSV (not .PML)
   • Wireshark → Text export, HTTP objects
   • Sysmon → CSV or JSON
   • Memory analysis → Text output

2. Use Read-Only Shares:

   • VM can only write to share, not read
   • Prevents VM from accessing your host files

3. Batch Analysis:

   • Analyze multiple samples
   • Export all evidence
   • Use Claude Code to batch analyze

4. Templates and Automation:

   • Create export scripts in VM
   • Use Claude Code to create analysis templates
   • Streamline your workflow

5. Version Control:

   • Keep analysis notes in git
   • Track detection rule versions
   • Version your reports

Troubleshooting

Q: Claude Code refuses to read my evidence file A: Ensure it's in text format (CSV, JSON, TXT), not binary (PML, PCAP, EVTX)

Q: How do I convert PCAP to text? A: Use tshark:

tshark -r capture.pcap -Y http -T fields -e http.host -e http.request.uri > http_traffic.txt

Q: How do I convert EVTX to CSV? A: On Windows:

Get-WinEvent -Path sysmon.evtx | Export-Csv sysmon.csv

Q: Claude Code says file is too large A: Filter or summarize first:

# Instead of reading all 50k lines
grep "malware.exe" procmon_huge.csv > procmon_filtered.csv
# Then read the filtered version

---

📚 Detailed Skill Documentation

1. Malware Triage

Purpose: Rapid initial assessment (5-30 minutes per sample)

Use When:

• You have a new unknown sample
• Need to prioritize multiple samples
• Want quick classification before deep analysis
• Time-constrained analysis

Provides:

• File hashing (MD5, SHA1, SHA256)
• Online reputation lookup guidance
• PE structure analysis
• String extraction workflow
• Malware type classification
• Threat level assessment
• Behavior prediction
• Priority determination
• Triage report template

Key Features:

• Structured 5-phase workflow
• Suspicious API import database
• Classification decision tree
• Time management strategies
• Integration with full analysis

Files:

malware-triage/
├── SKILL.md
├── references/
│   ├── indicators.md          # Suspicious APIs & patterns
│   └── triage_checklist.md    # Step-by-step guide
└── scripts/
    └── hash_calculator.py

---

2. Malware Dynamic Analysis

Purpose: Safe execution and comprehensive behavior monitoring

Use When:

• Need to observe actual malware behavior
• Validating static analysis hypotheses
• Capturing C2 communications
• Documenting runtime activity
• Extracting dynamic IOCs

Provides:

• Pre-execution safety checklist
• Tool setup (Procmon, Wireshark, Process Hacker, Sysmon)
• Monitoring workflows for:
  • Process activity and injection
  • File system operations
  • Registry modifications
  • Network communications
  • Persistence mechanisms
• Artifact collection procedures
• Automated sandbox usage (ANY.RUN, Joe Sandbox)
• Evidence export workflows

Key Features:

• Safety-first approach with isolation verification
• Step-by-step tool configuration
• Real-time monitoring guidance
• Behavioral IOC extraction
• Timeline creation
• Integration with report writing

Files:

malware-dynamic-analysis/
├── SKILL.md
├── references/
│   ├── tool_setup.md              # Procmon, Wireshark, etc.
│   ├── sandbox_setup.md           # Local sandbox installation
│   └── anti_analysis_bypass.md    # VM detection bypass
└── scripts/
    └── (monitoring automation scripts)

---

3. Specialized File Analyzer

Purpose: Analyze non-PE file formats requiring specialized tools

Use When You Encounter:

• .NET/C# Assemblies - Managed executables requiring decompilation
• Office Documents - Word/Excel with VBA/XLM macros
• PDF Files - Suspicious PDFs with JavaScript/exploits
• Scripts - PowerShell, VBScript, JavaScript, Batch files
• Archives - ZIP, RAR, 7z, TAR.GZ
• Shortcuts - .LNK files
• Linux Binaries - ELF executables

Provides:

• Per-Format Workflows:
  • .NET: dnSpy/ILSpy decompilation, de4dot deobfuscation
  • Office: oledump/olevba macro extraction, XLM macro analysis
  • PDF: pdfid/pdf-parser/peepdf JavaScript extraction
  • PowerShell: PSDecode deobfuscation, pattern analysis
  • Scripts: Deobfuscation techniques
  • Archives: Safe inspection and extraction
  • LNK: LECmd/lnkinfo analysis
  • ELF: readelf/strace/ltrace analysis

Key Features:

• Quick file type identification
• Format-specific tooling
• Deobfuscation techniques
• IOC extraction per format
• Integration with main report

Files:

specialized-file-analyzer/
├── SKILL.md
├── references/
│   ├── dotnet_analysis.md
│   ├── office_macros.md
│   ├── pdf_analysis.md
│   └── script_analysis.md
└── scripts/
    └── (format-specific helpers)

---

4. Detection Engineer

Purpose: Convert analysis findings into production detection rules

Use When You Need:

• Sigma Rules for SIEM (Splunk, Elastic, QRadar, Sentinel)
• Suricata/Snort Rules for network IDS/IPS
• Hunting Queries for SOC/threat hunting
• IOC Defanging for safe documentation
• IOC Format Conversion (CSV, STIX, OpenIOC)

Provides:

• IOC defanging workflows (URLs, IPs, domains, emails)
• IOC confidence & volatility assessment
• Sigma rule creation:
  • Process creation detection
  • Network connection monitoring
  • Registry modification detection
  • File creation alerts
  • Logsource configuration
  • Sigma-to-SIEM conversion
• Suricata rule creation:
  • HTTP/HTTPS C2 detection
  • DNS query monitoring
  • TLS/certificate analysis
  • Malware download detection
• Hunting query templates (Splunk, Elastic, EDR)
• IOC export formats (STIX 2.1, CSV, OpenIOC)

Key Features:

• Automated IOC defanging
• Rule testing procedures
• False positive analysis
• MITRE ATT&CK tagging
• Multi-format export

Files:

detection-engineer/
├── SKILL.md
├── references/
│   ├── sigma_examples.md
│   ├── suricata_examples.md
│   └── ioc_standards.md
└── scripts/
    └── ioc_defanger.py

---

5. Malware Report Writer

Purpose: Create professional, enterprise-ready malware analysis reports

Use When:

• Documenting analysis findings
• Creating formal deliverables
• Writing for executive/technical audiences
• Formalizing IOCs and detection rules
• Creating YARA signatures

Provides:

• Complete report template (12 sections)
• Executive summary guidelines
• Technical analysis structure
• IOC documentation standards
• YARA rule creation (testing + validation)
• Remediation recommendations
• Quality assurance checklist
• Efficient workflow strategies

Key Features:

• Multi-audience writing guidance
• YARA rule best practices
• Common mistakes to avoid
• Section-by-section templates
• Professional formatting

Files:

malware-report-writer/
├── SKILL.md
├── assets/
│   └── report_template.md         # Complete report structure
└── references/
    └── best_practices.md           # Writing standards & tips

---

🔄 Complete Analysis Workflow

Phase 1: Initial Triage

Skill: malware-triage

1. Calculate hashes for all samples
2. Quick reputation lookups (VirusTotal, MalwareBazaar)
3. Rapid classification
4. Prioritize samples (High/Medium/Low)
5. Document initial findings

Output: Triage reports for all samples, priority list

---

Phase 2: Deep Analysis

For Standard PE Executables: Skill: malware-dynamic-analysis

1. Setup isolated VM environment
2. Configure monitoring tools (Procmon, Wireshark, Process Hacker)
3. Execute malware
4. Monitor behavior (15-60 minutes)
5. Extract behavioral IOCs
6. Collect artifacts

For Non-PE Files: Skill: specialized-file-analyzer

1. Identify file type (file command)
2. Select appropriate analysis tool:
   • .NET → dnSpy/ILSpy
   • Office → oledump/olevba
   • PDF → pdfid/pdf-parser
   • Scripts → PSDecode/manual analysis
   • ELF → readelf/strace
3. Extract/deobfuscate content
4. Document functionality
5. Extract IOCs

Output: Complete technical analysis, behavioral IOCs, screenshots, PCAPs

---

Phase 3: Detection Engineering

Skill: detection-engineer

1. Review all extracted IOCs
2. Defang IOCs for documentation
3. Assess IOC confidence levels
4. Create Sigma rules for behavioral detection
5. Create Suricata rules for network detection
6. Generate hunting queries
7. Test all rules

Output: Tested Sigma rules, Suricata rules, defanged IOC list, hunting queries

---

Phase 4: Report Documentation

Skills: malware-report-writer + detection-engineer

1. Draft technical sections

   • Sample information
   • Static analysis findings
   • Dynamic analysis observations
   • Specialized file analysis results

2. Add detection content

   • YARA rules (test against sample!)
   • Sigma rules
   • Suricata rules
   • Defanged IOCs with confidence ratings
   • Remediation recommendations

3. Write non-technical sections

   • Executive summary
   • Malware classification
   • Conclusion
   • Appendices

4. Quality assurance

   • Run through quality checklist
   • Test all detection rules
   • Verify all hashes
   • Grammar/spelling check
   • Final formatting

Output: Professional malware analysis report (PDF)

---

💡 Usage Examples

Example 1: Complete Analysis Workflow

User: "I need to analyze this suspicious .exe sample"

Workflow:
1. "Help me triage this sample" → malware-triage
   - Calculates hashes
   - Checks VirusTotal
   - Analyzes PE structure
   - Classifies as trojan/RAT
   - Priority: High

2. "Guide me through dynamic analysis" → malware-dynamic-analysis
   - Verifies VM isolation
   - Sets up Procmon, Wireshark, Process Hacker
   - Executes sample
   - Monitors for 15 minutes
   - Extracts behavioral IOCs

3. "Create detection rules for this malware" → detection-engineer
   - Defangs all IOCs
   - Creates Sigma rule for process injection
   - Creates Suricata rule for C2 traffic
   - Generates hunting queries

4. "Help me write the analysis report" → malware-report-writer
   - Uses report template
   - Structures all findings
   - Creates YARA rule
   - Reviews with quality checklist

Example 2: Office Document with Macro

User: "I have a suspicious Word document with macros"

Workflow:
1. "Help me triage this .docm file" → malware-triage
   - Identifies Office document
   - Checks VirusTotal
   - Classifies as macro dropper

2. "Analyze the macros in this document" → specialized-file-analyzer
   - Guides oledump.py usage
   - Extracts VBA macro code
   - Identifies AutoOpen function
   - Deobfuscates strings
   - Finds PowerShell download cradle

3. "Create detections for this macro malware" → detection-engineer
   - Defangs URLs from macro
   - Creates Sigma rule for macro execution
   - Creates hunting query for similar documents

4. "Write the report" → malware-report-writer
   - Documents macro analysis
   - Includes sanitized macro code
   - Creates YARA rule for document

Example 3: Multi-Sample Triage

User: "I have 10 samples to analyze, help me prioritize"

Workflow:
1. "Triage all 10 samples" → malware-triage (use 10 times)
   - Quick triage (5-10 min each)
   - Hash + VirusTotal for all
   - Classifications recorded
   - Priority assigned

2. Results:
   - 3 High Priority (unknown/sophisticated)
   - 5 Medium Priority (known variants)
   - 2 Low Priority (common adware)

3. Strategy:
   - Phase 1-2: Deep analysis on 3 high-priority samples
   - Phase 2-3: Quick analysis on 5 medium-priority samples
   - Document low-priority findings (note in report)

---

⚡ Pro Tips for Effective Analysis

Time Management

• ✅ Triage ALL samples first (prioritize effectively)
• ✅ Document as you analyze (don't leave for the end)
• ✅ Create detection rules during analysis (not as an afterthought)
• ✅ Test YARA rules immediately (avoid failures later)
• ❌ Don't spend excessive time on one sample (spread effort wisely)

Quality Over Quantity

• ✅ Better to deeply analyze 2-3 samples than shallowly analyze 10
• ✅ Focus on creating working detection rules
• ✅ Document methodology clearly
• ❌ Don't submit untested YARA/Sigma rules

Use Skills Strategically

• ✅ Triage skill for ALL samples (fast initial assessment)
• ✅ Dynamic analysis for unknowns (need behavioral data)
• ✅ Specialized file analyzer when needed (don't force PE analysis on docs)
• ✅ Detection engineer at the end (consolidate IOCs)
• ✅ Report writer continuously (update as you go)

---

🎓 Skill-Specific Best Practices

Malware Triage

• Use quick triage (5 min) for initial all-sample sweep
• Use standard triage (15 min) for high-priority samples
• Don't skip hash calculation (required for all samples)
• Document predicted behaviors (guides dynamic analysis)

Malware Dynamic Analysis

• ALWAYS verify VM isolation before execution
• Start monitoring tools BEFORE executing malware
• Observe for minimum 15 minutes (some malware delays)
• Export ALL artifacts before reverting VM
• Take screenshots of unusual behavior

Specialized File Analyzer

• File type first - use file command to confirm
• Right tool for format - don't use PE tools on Office docs
• Test deobfuscation output (ensure it makes sense)
• Save both obfuscated and deobfuscated versions
• Document deobfuscation methodology

Detection Engineer

• Always defang IOCs in reports (avoid accidental clicks)
• Test rules before documenting (must work!)
• Label IOC confidence (High/Medium/Low)
• Note IOC volatility (Static/Dynamic)
• Include false positive analysis

Malware Report Writer

• Executive summary last (after understanding full scope)
• Test all YARA rules against sample AND clean files
• Use quality checklist before submission
• Grammar/spelling matters (professional appearance)
• Include all three hashes (MD5, SHA1, SHA256)

---

📖 Additional Resources

Malware Analysis Training

• TCM Security: Practical Malware Analysis & Triage (https://certifications.tcm-sec.com/pmrp/)
• SANS: FOR610, FOR710 malware analysis courses
• Open Security Training: Free malware analysis courses

Malware Sample Sources (Practice)

• MalwareBazaar: https://bazaar.abuse.ch/
• VirusTotal: https://www.virustotal.com/
• Hybrid Analysis: https://www.hybrid-analysis.com/

Tool Documentation

• Sysinternals Suite: https://docs.microsoft.com/en-us/sysinternals/
• Wireshark: https://www.wireshark.org/docs/
• dnSpy: https://github.com/dnSpy/dnSpy
• Didier Stevens Tools: https://blog.didierstevens.com/programs/
• Sigma: https://github.com/SigmaHQ/sigma
• Suricata: https://docs.suricata.io/

Reference Materials

• SANS Malware Analysis Cheat Sheet: https://www.sans.org/posters/
• MITRE ATT&CK: https://attack.mitre.org/
• MalAPI.io (Windows APIs): https://malapi.io/

---

❓ Frequently Asked Questions

Q: Do I need to use all 5 skills? A: No! Use skills based on your specific needs. Triage and report-writer are most common. Others are situational.

Q: Can I use these skills for real-world work? A: Absolutely! These skills are based on enterprise malware analysis standards and workflows.

Q: Which skill should I start with? A: Always start with malware-triage for initial assessment, then branch to others as needed.

Q: How do I know if a file needs specialized-file-analyzer? A: Run file sample.bin. If output shows: .NET assembly, Office document, PDF, script, or ELF → use specialized-file-analyzer.

Q: Are these skills suitable for professional work? A: Yes! These skills are based on industry-standard malware analysis workflows used by security professionals and incident responders.

Q: Can I modify skill prompts? A: Yes! Customize to fit your workflow and preferences.

Q: What if I encounter a file type not covered? A: Use the general principles from malware-triage and dynamic-analysis, then search for format-specific tools.

---

🏆 Analysis Quality Checklist

Before finalizing your analysis, verify:

Analysis Phase:

• All samples triaged (hashes, classification, priority)
• High-priority samples deeply analyzed (static + dynamic)
• Specialized files analyzed with appropriate tools
• All artifacts collected (PCAPs, screenshots, logs)
• Behavioral IOCs extracted

Detection Phase:

• All IOCs defanged properly
• IOC confidence levels assigned
• YARA rules created AND TESTED
• Sigma rules created and validated
• Suricata rules tested (if applicable)
• Hunting queries documented

Report Phase:

• Report uses professional template
• Executive summary written (non-technical)
• All technical sections complete
• All three hashes included for each sample
• Detection rules tested and working
• Grammar/spelling checked
• Quality checklist completed
• Ready for delivery!

---

🎯 Quick Reference: Skill Selection

Your Question	Use This Skill
"What is this file?"	malware-triage
"How do I execute this safely?"	malware-dynamic-analysis
"How do I analyze this Word doc?"	specialized-file-analyzer
"How do I analyze this .NET exe?"	specialized-file-analyzer
"How do I analyze this PowerShell script?"	specialized-file-analyzer
"How do I create a Sigma rule?"	detection-engineer
"How do I defang IOCs?"	detection-engineer
"How do I write the report?"	malware-report-writer
"How do I create a YARA rule?"	malware-report-writer

---

🎉 You're Ready!

This complete toolkit provides everything needed for professional malware analysis:

• ✅ 5 specialized skills covering full analysis lifecycle
• ✅ Expert-level workflows for each analysis phase
• ✅ Clear skill selection guidance (use the right tool for the job)
• ✅ Integration strategies between skills
• ✅ Industry best practices and time management
• ✅ Quality assurance checklists for professional deliverables

Upload the skills and start analyzing!

---

Built for security professionals, incident responders, and malware analysts. 🔐🎯