Skip to main content

Detection Engineering Toolkit — Generate YARA, Sigma, MITRE ATT&CK mappings, IOC reports, and HTML reports from suspicious binaries.

Project description

Malforge

Detection Engineering Toolkit
Generate YARA · Sigma · MITRE ATT&CK · IOC Reports · HTML Reports
from a suspicious binary. One command.


What It Does

Malforge takes a suspicious binary and produces five actionable outputs:

sample.exe → malforge analyze → YARA Rule
                                 Sigma Rule
                                 MITRE ATT&CK Mapping
                                 IOC Report (JSON)
                                 HTML Threat Report

It runs a 10-stage analysis pipeline entirely offline — no cloud, no sandbox, no Docker required:

  1. File hashing — MD5, SHA1, SHA256, entropy
  2. PE parsing — Headers, sections, imports, exports, timestamps
  3. String extraction — ASCII/Unicode strings, categorized (URLs, IPs, registry, paths)
  4. Heuristic analysis — Process injection, keylogging, crypto, anti-debug, packing detection
  5. IOC extraction — Network indicators, file hashes, registry keys with confidence scoring
  6. MITRE ATT&CK mapping — ~13 techniques mapped from heuristics and IOCs
  7. YARA rule generation — From suspicious APIs + network IOCs, auto-validated
  8. Sigma rule generation — From file paths, registry, DNS, and network IOCs
  9. HTML report — Standalone, dark-themed, professional threat report
  10. Plugin hooks — Extend with your own analysis steps

Install

pip install malforge

Requires Python 3.11+ and yara-python (compiled automatically by pip on most systems).

Quick Start

# Analyze a suspicious binary
malforge analyze sample.exe

# Custom output directory
malforge analyze sample.exe -o ./results

# JSON report only (skip HTML)
malforge analyze sample.exe --format json

# Skip Sigma rule generation
malforge analyze sample.exe --no-sigma

# Show version
malforge --version

Output

malforge_output/
├── report.html          # Standalone HTML threat report
├── report.json          # Full analysis data
├── iocs.json            # Extracted IOCs with confidence scores
├── mitre_mapping.json   # ATT&CK technique mappings
└── rules/
    ├── yara_rule.yar    # Auto-generated YARA rule
    └── sigma_rule.yml   # Auto-generated Sigma rule

Sample YARA Rule Output

rule Malforge_a1b2c3d4 {
    meta:
        author = "Malforge"
        description = "Auto-generated detection rule from static analysis."
        date = "2026-06-30"
        hash = "a1b2c3d4..."
        tlp = "WHITE"

    strings:
        $s0 = "VirtualAllocEx" ascii wide nocase
        $s1 = "WriteProcessMemory" ascii wide nocase
        $s2 = "CreateRemoteThread" ascii wide nocase
        $ioc_url0 = "http://evil.com/payload.exe" ascii wide
        $ioc_ip1 = "203.0.113.50" ascii wide

    condition:
        uint16(0) == 0x5a4d
        and all of ($s*)
        and any of ($ioc_*)
}

Sample Sigma Rule Output

title: Suspicious Activity — Malforge a1b2c3d4
id: 8f14e45f-ceea-367f-a27f-c790a516b3b9
status: experimental
description: Auto-generated Sigma rule for sample a1b2c3d4...
author: Malforge
date: 2026/06/30
logsource:
    category: process_creation
    product: windows
detection:
    selection_files:
        Image|endswith:
            - '\cmd.exe'
    selection_registry:
        TargetObject|contains:
            - 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
    selection_dns:
        QueryName|endswith:
            - 'malicious-domain.com'
    condition: selection_files or selection_registry or selection_dns
falsepositives:
    - Unknown
level: medium

How It Works

 ┌─────────────────────────────────────────────────────┐
 │                malforge analyze                     │
 │                                                     │
 │  sample.exe ──▶ Read bytes + compute hashes         │
 │       │                                             │
 │       ├──▶ PE Analyzer (pefile)                     │
 │       │     └── headers, sections, imports, exports │
 │       │                                             │
 │       ├──▶ String Extractor                          │
 │       │     └── URLs, IPs, registry, suspicious      │
 │       │                                              │
 │       ├──▶ Heuristic Engine                          │
 │       │     └── injection, keylog, crypto, packing   │
 │       │                                              │
 │       ├──▶ IOC Extractor                             │
 │       │     └── typed IOCs with confidence scores    │
 │       │                                              │
 │       ├──▶ MITRE ATT&CK Mapper                      │
 │       │     └── technique IDs + tactics + evidence   │
 │       │                                              │
 │       ├──▶ YARA Generator ──▶ Validator              │
 │       │                                              │
 │       ├──▶ Sigma Generator                           │
 │       │                                              │
 │       └──▶ Report Generator                          │
 │             ├── report.json                          │
 │             ├── report.html                          │
 │             ├── iocs.json                            │
 │             ├── mitre_mapping.json                   │
 │             └── rules/ (yara + sigma)                │
 └─────────────────────────────────────────────────────┘

Plugin System

Extend Malforge with custom analysis steps:

# my_plugin.py
from malforge.plugins.base import MalforgePlugin

class VirusTotalPlugin(MalforgePlugin):
    name = "virustotal"
    version = "1.0.0"

    def on_analysis_complete(self, result: dict) -> dict:
        # Add VirusTotal lookup results
        result["virustotal"] = {"detected": True, "positives": 42}
        return result

Register in your plugin's pyproject.toml:

[project.entry-points."malforge.plugins"]
virustotal = "my_plugin:VirusTotalPlugin"
pip install my-malforge-plugin
malforge plugins list       # Shows: virustotal v1.0.0
malforge analyze sample.exe # Plugin runs automatically

Project Structure

malforge/
├── src/malforge/
│   ├── cli.py              # Click CLI entry point
│   ├── analyzer.py         # 10-stage pipeline orchestrator
│   ├── analysis/           # PE parsing, string extraction, heuristics
│   ├── detection/          # YARA + Sigma generation, YARA validation
│   ├── ioc/                # IOC extraction with confidence scoring
│   ├── mitre/              # ATT&CK technique mapping
│   ├── report/             # JSON + HTML report generation
│   └── plugins/            # Plugin base class + entry point loader
├── tests/                  # pytest test suite
├── pyproject.toml          # Package config (pip install malforge)
├── CONTRIBUTING.md         # Plugin dev guide + contribution workflow
└── LICENSE                 # MIT

Development

git clone https://github.com/prxcode/malforge.git
cd malforge
python -m venv .venv && .venv\Scripts\activate
pip install -e ".[dev]"
pytest tests/ -v

What This Is NOT

Malforge is a static analysis + detection engineering tool. It does not:

  • Execute malware (no sandbox/dynamic analysis)
  • Perform full reverse engineering
  • Replace commercial EDR or threat intelligence platforms
  • Claim memory forensics capabilities

It does one workflow well: binary → detection artifacts. If you need dynamic analysis, pair it with CAPEv2 or ANY.RUN.

Contributing

See CONTRIBUTING.md for development setup, plugin development, and PR guidelines.

License

MIT — see LICENSE.

Author

Priyanshu@prxcode

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

malforge-1.0.0.tar.gz (30.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

malforge-1.0.0-py3-none-any.whl (30.1 kB view details)

Uploaded Python 3

File details

Details for the file malforge-1.0.0.tar.gz.

File metadata

  • Download URL: malforge-1.0.0.tar.gz
  • Upload date:
  • Size: 30.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for malforge-1.0.0.tar.gz
Algorithm Hash digest
SHA256 178bcf8a822f4ade55b0cfec20a4da1993b59d0a6634ca4be6406e9e2f562544
MD5 1b4a92dec8c4627357ef4f63fba893c1
BLAKE2b-256 9ea2e28eb132661db387719baaf5bffe981b8aa6ac0c3b931d3b9d11f4a98f72

See more details on using hashes here.

Provenance

The following attestation bundles were made for malforge-1.0.0.tar.gz:

Publisher: publish.yml on prxcode/malforge

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file malforge-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: malforge-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 30.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for malforge-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b18c7050c70476f1429994e8523604491d3d28bc601f82b5309498a473d9ed4f
MD5 4c68381cee9f3aeaba648c36dcd7b633
BLAKE2b-256 57f2a5fa8165e0b77d675db869dd4784a6563e83db23dbd043c18aedf5481644

See more details on using hashes here.

Provenance

The following attestation bundles were made for malforge-1.0.0-py3-none-any.whl:

Publisher: publish.yml on prxcode/malforge

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page