Malware Analysis Orchestrator
Single entry point for malware analysis engagements. Routes to specialized sub-skills, carries findings between phases, and manages multi-sample workflows.
How This Works
You describe what you need — "analyze this sample", "I have 5 files to triage", "create detection rules from my findings" — and this orchestrator:
- Determines which sub-skill to use based on your file type and intent
- Guides you through the analysis using that sub-skill
- Records findings in a state file (
analysis_state.md) - Recommends the next phase when the current one completes
- Waits for your confirmation before proceeding
You never need to invoke sub-skills directly.
Routing Logic
| Signal | Routes To |
|---|---|
| Unknown file / "what is this?" / initial assessment | malware-triage |
| PE executable after triage, needing behavior monitoring | malware-dynamic-analysis |
| .NET / Office / PDF / script / archive / LNK / ELF / HTA / ISO / IMG / VHD / VHDX | specialized-file-analyzer |
| "Create detection rules" / post-analysis phase | detection-engineer |
| "Write the report" / final documentation phase | malware-report-writer |
| YARA rules specifically | malware-report-writer (not detection-engineer) |
Triage is always the entry point for new samples. The table above describes which analysis skill follows triage.
File Type Priority Order
When routing by file type, use the file command output. Check in this order — first match wins:
- "Mono/.Net assembly" → read and follow
specialized-file-analyzer/SKILL.md - "Microsoft Office Document" → read and follow
specialized-file-analyzer/SKILL.md - "PDF document" → read and follow
specialized-file-analyzer/SKILL.md - "ELF" → read and follow
specialized-file-analyzer/SKILL.md - "PE32" / "PE64" (only if .NET was NOT matched) → read and follow
malware-triage/SKILL.md, thenmalware-dynamic-analysis/SKILL.md - "MS Windows shortcut" (LNK) → read and follow
specialized-file-analyzer/SKILL.md - ASCII text / script content → read and follow
specialized-file-analyzer/SKILL.md - Archive formats (Zip, RAR, 7z) → read and follow
specialized-file-analyzer/SKILL.md - HTML Application (.hta) → read and follow
specialized-file-analyzer/SKILL.md - ISO/IMG disk images → read and follow
specialized-file-analyzer/SKILL.md(mount/extract, then analyze contents) - VHD/VHDX virtual hard disks → read and follow
specialized-file-analyzer/SKILL.md(mount/extract, then analyze contents) - "data" / zero-byte / unrecognized → read and follow
malware-triage/SKILL.mdfor manual assessment
.NET is the key ambiguity: file outputs both "PE32" and "Mono/.Net assembly" for .NET assemblies. Always check for .NET before checking for PE.
Phase Sequence
Each sample follows this sequence:
Triage → [Dynamic Analysis OR Specialized File Analysis] → Detection Engineering → Report Writing
- Triage is always first — read and follow
malware-triage/SKILL.md - Dynamic analysis for PE executables — read and follow
malware-dynamic-analysis/SKILL.md - Specialized file analysis for non-PE files (.NET, Office, PDF, scripts, archives, LNK, ELF) — read and follow
specialized-file-analyzer/SKILL.md - Detection engineering consolidates IOCs into Sigma/Suricata rules — read and follow
detection-engineer/SKILL.md - Report writing is always last — read and follow
malware-report-writer/SKILL.md
Phase Transitions (Suggest-Next Mode)
After each phase completes:
- Summarize what was found in the current phase
- Update
analysis_state.mdwith findings and IOCs - Recommend the next skill with reasoning based on findings
- Wait for user confirmation before proceeding
Never auto-chain phases. Every transition requires user confirmation.
VM Isolation Boundary
Before dynamic analysis, explicitly remind the user:
"The next phase requires executing the sample in your isolated VM (REMnux/FlareVM). Please:
- Execute the sample with monitoring tools running (Procmon, Wireshark, System Informer (formerly Process Hacker), Sysmon)
- Observe for at least 15 minutes
- Export evidence in text-parseable formats (CSV, JSON, TXT — not PML, PCAP, EVTX)
- Return here with the exported evidence files
I'll analyze the evidence when you're back."
State File: analysis_state.md
Created in the user's working directory (not this skill repo) when the first sample is provided. Updated after each phase.
Structure
# Malware Analysis — [Engagement Name/Date]
**Analyst:** [name]
**Started:** [date]
**Status:** [In Progress / Complete]
---
## Samples
### Sample 1: [filename]
- **File Type:** [type]
- **MD5:** [hash]
- **SHA1:** [hash]
- **SHA256:** [hash]
- **Size:** [bytes]
- **Priority:** [Immediate / Standard / Low]
- **Classification:** [Trojan / Ransomware / etc. or Pending]
- **Threat Level:** [Critical / High / Medium / Low or Pending]
- **Current Phase:** [Triage / Dynamic Analysis / Specialized Analysis / Detection / Reporting / Complete / Benign]
#### Triage Findings
- [findings appended after triage phase]
#### Analysis Findings
- [findings appended after dynamic/specialized analysis]
#### IOCs Identified
- [accumulated IOCs, defanged]
#### Detection Rules Created
- [list of rules created and their locations]
---
## Next Steps
- [orchestrator's recommendation for what to do next and why]
State File Rules
- Create when the user begins an engagement (first sample provided)
- Append findings after each phase — never overwrite previous findings
- Replace the "Next Steps" section at each transition (not append)
- Resume from state file if the user returns in a new conversation — read
analysis_state.mdto restore context - All IOCs must be defanged at the point they are recorded to the state file, regardless of which phase produces them
Multi-Sample Batch Workflow
- Intake: Prompt for all known samples upfront — "How many samples do you have? Let's list them all before we begin."
- Batch triage: Quick triage pass on all samples (5-10 min each — hashes, file type, reputation check, classification per the triage skill's "Quick Triage" tier)
- Priority ranking: Rank samples as Immediate / Standard / Low based on triage findings
- Sequential deep analysis: Guide the user through deep analysis of high-priority samples one at a time, following the full phase sequence per sample
- State tracking: Update state file per-sample so the user can see which samples are triaged, analyzed, and reported
Conventions Enforced
- All IOCs in state files and reports must be defanged (
hxxp://,[.]com,[@]) - Reports always include all three hash types: MD5, SHA1, SHA256
- Evidence must be in text-parseable formats (CSV, JSON, TXT)
- Detection rules (YARA, Sigma, Suricata) must be tested before inclusion
- MITRE ATT&CK technique IDs must be tagged in Sigma rules
- Sigma rules require unique UUIDs
- Custom Suricata rules use SIDs starting at 1000000+
IOC Defanging Ownership
Each phase defangs IOCs before appending them to the state file. The detection-engineer sub-skill handles bulk defanging, format conversion (STIX, CSV, OpenIOC), and confidence assessment during its dedicated phase.
Edge Cases
- User wants to skip a phase: Allow it, note the skip in the state file, and proceed to the requested phase
- User provides evidence without explicit routing: Infer the phase from evidence type (Procmon CSV → dynamic analysis, Sysmon JSON → dynamic analysis, olevba output → specialized file analysis, etc.)
- Session restart: Read
analysis_state.mdto restore context and resume from the last recorded phase - Single sample, known type: Skip batch triage and go directly to the appropriate skill
- User explicitly requests a specific sub-skill: Defer to the user's choice
- **Benign