All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.
You can get:
- What DLL files are used.
- Functions and APIs.
- Sections and segments.
- URLs, IP addresses and emails.
- Android permissions (Dangerous/Special/Info).
- MITRE ATT&CK mappings (Windows + Linux static analysis).
- File extensions and their names.
- Embedded executables/exploits.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.
| Files | Analysis Type |
|---|---|
| Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |
| Linux Executables (.elf, .bin) | Static, Dynamic |
| MacOS Executables (mach-o) | Static |
| Android Files (.apk, .jar, .dex) | Static, Dynamic(for now .apk only) |
| Golang Binaries (Linux) | Static |
| Document Files | Static |
| VBScript/VBA Family (.vbs, .vbe, .vba, .vb, .bas, .cls, .frm) | Static (--docs) |
| HTML Documents (.html, .htm) | Static (--analyze) |
| JavaScript (.js) | Static (--analyze) |
| HTA / HTML Application (.hta) | Static (--analyze) |
| Windows Batch Scripts (.bat, .cmd) | Static (--analyze) |
| Windows Shortcut (.lnk) | Static (--analyze) |
| Archive Files (.zip, .rar, .ace) | Static |
| PCAP Files (.pcap) | Static |
| Powershell Scripts | Static |
| E-Mail Files (.eml) | Static |
python qu1cksc0pe.py --file suspicious_file --analyze# Launch Web UI
python3 qu1cksc0pe.py --ui
28/02/2026
- PCAP analyzer now supports
--reportand--aiflags. All analysis results (URLs, IPs, DNS queries, DGA suspects, HTTP requests, TLS SNI hostnames, JA3 digests/matches, interesting strings, connection analysis, external IPs, carved executables) are collected intosc0pe_pcap_report.jsonand fed to the AI analyzer automatically. - PCAP analyzer: four new detection methods added —
detect_dga_domains()(Shannon entropy + label length + digit-ratio heuristics),analyze_connections()(suspicious/C2 port detection + external IP inventory),analyze_http_requests()(dpkt HTTP parsing, suspicious User-Agent flagging),extract_tls_sni()(manual TLS ClientHello byte-level SNI extraction). - PCAP analyzer: embedded executable detection is now fully automated in
--report/--aimode —sigChecker.pyis invoked with anauto_extractflag that skips the interactive confirmation prompt and carves files directly. - PCAP analyzer: carved executables are now triaged automatically. For each carved PE, the report includes file type, MIME type (via
puremagic), architecture, subsystem, compile timestamp, import hash, per-section entropy with packing flag, suspicious Win32 API imports, and embedded IoC strings (URLs, IPs, e-mail addresses extracted from raw bytes). - PCAP report is cleaned before saving: empty lists/dicts are stripped,
extracted_ipsremoved (superseded byexternal_ips), andhttp_requestsfiltered to non-whitelisted hosts only to reduce noise. - Android malware family detection improvements:
andro_familydetect.pygained aSourceScan()method that scans decompiled source files underTargetAPK/sources/againstSourcePatternsdefined infamily.json. Three new families added toSystems/Android/family.json: Cerberus, Anubis, EventBot (patterns derived from published YARA rules). - Web UI: PCAP analysis results are now rendered with dedicated panel handlers —
http_requestsandsuspicious_connectionsrender as proper tables;carved_executablestriage data renders across structured panels (basic info KV, PE sections table, suspicious imports list, embedded IoC lists) instead of raw stringified dicts. - Web UI: "PCAP / Network Traffic" preset removed; PCAP files are handled transparently by the existing "Standart Analysis" preset via
magic.from_file()auto-detection.
25/02/2026
- NEW: Added Windows Shortcut (
.lnk) file analysis support via--analyze(Modules/lnk_analyzer.py). Parses the MS-SHLLINK binary format without external dependencies: extracts target path, command line arguments, working directory, icon location, timestamps (FILETIME), ShowCommand, hotkey, and network share. Detects suspicious indicators (hidden/minimized window, excessively long arguments, Base64 payloads, UNC paths, temp/AppData targets, icon spoofing) and LOLBAS binaries. Category pattern scanning (Execution / Persistence / Defense Evasion / Download/Network / Obfuscation) operates per-field and reports the full field value for each match — no context-window truncation. YARA rule matching included. - AI analyzer bug fix: configured model (e.g.
kimi-k2.5:cloudinmultiple.conf) is now always tried first; discovered local models are used as fallbacks only. Previously,SC0PE_AI_SKIP_CLOUD_WHEN_LOCALwas demoting the configured model behind local ones, causing the entire time budget to be consumed before the intended model was reached. - AI analyzer bug fix: per-call HTTP generation timeout is no longer capped by
SC0PE_AI_HTTP_PROBE_TIMEOUT(which is intended for lightweight model-list probing only). Generation calls now correctly useSC0PE_AI_OLLAMA_HTTP_TIMEOUTas the upper bound. - MSI analysis bug fix: statistics table is now always printed after Microsoft Software Installer analysis. Previously, when the MSI could not be parsed as a native PE (fallback string-scan path),
statistics_method()was skipped entirely. PE-specific fields (Time Date Stamp, IMPHASH) are omitted gracefully when the file is not a standalone PE. - NEW: Added HTML (
.html,.htm), JavaScript (.js), and HTA/HTML Application (.hta) file analysis support via--analyze. Analysis is handled by the newModules/html_script_analyzer.pymodule (extracted fromdocument_analyzer.py). HTML/JS analysis covers malicious code patterns, obfuscation, network, execution, shell/Node.js, filesystem, and persistence indicators with Base64 decode hints and YARA scanning. HTA analysis performs full HTML-layer checks (malicious code patterns, URLs, iframe, PowerShell) plus inline script block pattern scanning with automatic VBScript/JScript language detection. These file types are not supported by--docs.
21/02/2026
- Linux static analyzer now performs automatic MITRE ATT&CK mapping and stores results in report fields:
mitre_attack,mitre_technique_count,mitre_api_match_count. - MITRE output is now shown in Web UI as detailed tactic/technique tables.
- Android permission triage was upgraded to 3 states:
Dangerous,Special,Info; JSON report now includespermission_summary. - Web UI report page now renders Android permissions in a dedicated section with state badges.
-
Systems/Android/perms.jsonwas expanded/normalized with modern Android permissions (Android 12+/13+ additions included). - PowerShell analyzer now writes decoded Base64 outputs into a single aggregate file:
qu1cksc0pe_decoded_b64_values.txt. - AI IoC sanitizer now filters whitelisted/legit domains using
Systems/Multiple/whitelist_domains.txt(enabled by default). - Archive analyzer now supports JSON report export (
--archive --report) and AI report analysis (--archive --ai).
20/02/2026
- Windows setup script (
setup.ps1) was hardened: automaticwingetfallback installation, Python/7-Zip bootstrap, SysinternalsstringsEULA auto-accept, and resilient Ollama install flow. - Ollama cloud-model handling in setup was improved: clear
ollama signinguidance is shown once, and setup continues gracefully if cloud model pull fails. - Config parsing was hardened for Windows/analysis modules with
utf-8-sigsupport to avoid BOM-relatedconfigparsererrors. - Windows static analyzer report flow was fixed to avoid early exit on low-import samples, so
--report/--aican still produce JSON output. - Web UI worker subprocess decoding was made robust on Windows (
utf-8with replacement) to preventUnicodeDecodeErrorcrashes. - Added/updated Windows Batch Script (
.bat,.cmd) analysis support in--analyzeflow with JSON report output.
15/02/2026
- Linux setup script (
setup.sh) was improved with automatic Ollama installation and model pull support fromSystems/Multiple/multiple.conf.
14/02/2026
- Windows setup script (
setup.ps1) was improved with persistent user PATH updates, automaticwinget/Ollama setup, and gracefulkimi-k2.5:cloudauth-error handling.
13/02/2026
- NEW FEATURE: Added Web UI.
12/02/2026
- Linux dynamic analyzer: added a dedicated Linux menu with separate actions for Binary Emulation and PID Monitoring.
- PID monitoring improvements: target can now be selected by PID or process name, with better Frida attach retries and child-process attach handling.
- Linux emulation fallback chain improved: Docker SDK -> Docker CLI -> host
qemufallback (when available). - Linux dynamic prompts now support TAB autocomplete (menu selection, binary path, PID/process name).
- Linux PID monitoring exits gracefully on
Ctrl+Cwithout traceback.
11/02/2026
- Document analyzer: added VBScript/VBA family static analysis for
.vbs,.vbe,.vba,.vb,.bas,.cls,.frm(pattern summary,CreateObjectvalues, shell command hits, decoded payload hints). - AI analyzer model selection is now explicit: only the model in
Systems/Multiple/multiple.conf([Ollama] model) is used. - AI analyzer performance/stability:
temp.txtis parsed/sampled before prompt building; large reports are compacted with size guards; incomplete/truncated LLM output is retried. - AI output cleanup: hidden/internal thinking blocks are stripped; partial
<<SC0PE_IOCS_JSON_*>>blocks are removed from UI/report when response is cut. - LLM IoC quality improvements: local analysis paths are filtered from
file_paths; stricter domain/IP validation added; file-like pseudo-domains (e.g.sheet1.xml) are dropped. - Email analyzer hardening: Python 3.14 event loop compatibility for DNSBL checks, noisy DNSBL false-positive filtering, and reliable extracted-attachment cleanup.
10/02/2026
- Removed FLOSS/Vivisect from the project (no string decode/emulation stage in Windows analysis).
- Linux static analyzer: Golang special analysis findings are now saved into the Linux JSON report under
golang. - AI analyzer (
--ai): full report JSON is included in the LLM prompt (report_full); model thinking blocks are stripped from console output and the saved AI report; extracted IoCs are displayed in a separate table.
09/02/2026
- Windows static analyzer improvements: faster import/export extraction (
pefilefast load + parsing only required directories). - .NET analysis no longer requires
pythonnet/Mono (pure-Python metadata parsing viadnfile). - Windows static analyzer cleanup: removed FLOSS integration (string decode/emulation) due to stability/performance issues.
- Setup/Docker cleanup: removed
mono-complete/pythonnetdependency. - Archive analyzer: removed
acefiledependency. ACE archives are extracted via7z/7zzwhen available. - Android analyzer: APK resource/content scan is now part of
--analyzeand is saved into the JSON report underresource_scan.
08/02/2026
- NEW FEATURE: AI report analysis via
--ai(auto-enables--report) - Android analyzer improvements: faster source pattern scanning and cleaner report outputs.
- Setup improvements: JADX updated to
v1.5.3and setup scripts made more robust (setup.sh,setup.ps1). - Better handling for problematic APKs: detect encrypted ZIP entries and report the reason when decompilation is skipped/failed.
- Document analyzer improvements: automatic decryption attempt for
FILEPASS-protected Office documents.
- Parrot OS
- Kali Linux
- Windows 10 or 11
And also another Linux distributions like as Kali/Parrot
Note
If you encounter issues with the Python modules, creating a Python virtual environment (python_venv) should resolve them.
For detailed setup and troubleshooting (dependencies, Docker usage, Windows notes), see the project overview documentation.
AI model selection is manual: set [Ollama] model in Systems/Multiple/multiple.conf to the exact model you want to use.
# First you need to clone Qu1cksc0pe with this command
git clone --depth 1 https://github.com/CYB3RMX/Qu1cksc0pe
# After cloning the repository YOU MUST create a python virtual environment (for handling python modules)
virtualenv -p python3 sc0pe_venv
source sc0pe_venv/bin/activate
# You can simply execute the following command it will do everything for you!
bash setup.sh
#
# setup.sh also installs required system tools (e.g. adb, strings, unzip, 7z) and sets up JADX.
# If you want to install Qu1cksc0pe on your system just execute the following commands.
python qu1cksc0pe.py --install # Optional
# To prevent interpreter errors after installation, use dos2unix.
dos2unix /usr/bin/qu1cksc0pe
# Or you can use Qu1cksc0pe from Docker!
docker build -t qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze
# For Windows systems you need to execute the following command (Powershell)
# PS C:\Users\user\Desktop\Qu1cksc0pe> .\setup.ps1
#
# setup.ps1 handles winget dependency fallback, Python + 7-Zip setup,
# Sysinternals strings EULA acceptance, and resilient Ollama installation.
# If cloud model auth is needed, run:
# ollama signin
# ollama pull kimi-k2.5:cloudYou can change some analyzer behaviors via environment variables (useful for CI, reproducibility, or controlling report size/timeouts).
Linux/macOS (bash/zsh) example
SC0PE_ANDROID_REPORT_DETAILED=1 python qu1cksc0pe.py --file app.apk --analyze --reportWindows (PowerShell) example
$env:SC0PE_ANDROID_REPORT_DETAILED="1"
python .\\qu1cksc0pe.py --file app.apk --analyze --report| Variable | Default | What It Does |
|---|---|---|
SC0PE_ANDROID_REPORT_DETAILED |
0 |
Android analyzer JSON becomes more verbose (keeps larger fields and higher limits). Includes more details under resource_scan, and keeps large duplicate fields like code_patterns more often. |
SC0PE_WINDOWS_REPORT_DETAILED |
0 |
Windows analyzer stores per-category API lists in more detail (instead of unique API names only). |
SC0PE_AUTO_DECRYPT_CHAIN |
0 |
Document analyzer: when an Office document decryption succeeds, automatically re-runs analysis on the decrypted output (best-effort). |
SC0PE_AI_INTERESTING_PATTERNS_MAX_KEYS |
25 |
AI analyzer: limit how many keys from interesting_string_patterns are included in the LLM prompt. |
SC0PE_AI_INTERESTING_PATTERNS_MAX_VALUES |
30 |
AI analyzer: limit list size per interesting_string_patterns key in the LLM prompt. |
SC0PE_AI_INCLUDE_TEMP_EXCERPT |
0 |
AI analyzer: include raw temp.txt excerpt in prompt when set to 1 (default is parsed/summarized mode without raw excerpt). |
SC0PE_AI_TEMP_TXT_EXCERPT_CHARS |
800 |
AI analyzer: character limit for raw temp.txt excerpt (used when SC0PE_AI_INCLUDE_TEMP_EXCERPT=1). |
SC0PE_AI_TEMP_TXT_MAX_STRINGS |
50 |
AI analyzer: limit number of meaningful strings selected from parsed temp.txt. |
SC0PE_AI_TEMP_TXT_MIN_LEN |
6 |
AI analyzer: minimum length for a meaningful string extracted from temp.txt. |
SC0PE_AI_TEMP_TXT_MAX_LEN |
180 |
AI analyzer: maximum length for a meaningful string extracted from temp.txt. |
SC0PE_AI_TEMP_PARSE_MAX_BYTES |
2097152 |
AI analyzer: max bytes to parse from temp.txt while building compact evidence. |
SC0PE_AI_TEMP_PARSE_MAX_LINES |
12000 |
AI analyzer: max lines to parse from temp.txt. |
SC0PE_AI_TEMP_SAMPLE_LINES |
2500 |
AI analyzer: sample size used for meaningful-string scoring. |
SC0PE_AI_TEMP_IOC_CAP |
40 |
AI analyzer: cap for IoC candidates parsed from temp.txt. |
SC0PE_AI_TEMP_IOC_PROMPT_MAX |
20 |
AI analyzer: max parsed IoC values per kind sent to LLM prompt. |
SC0PE_AI_MAX_REPORT_CHARS |
180000 |
AI analyzer: threshold for full-report prompt mode; larger reports are compacted automatically. |
SC0PE_AI_COMPACT_MAX_LIST_ITEMS |
40 |
AI analyzer: list sampling limit in compact report mode. |
SC0PE_AI_COMPACT_MAX_STR |
220 |
AI analyzer: max string length per field in compact report mode. |
SC0PE_AI_COMPACT_MAX_DEPTH |
4 |
AI analyzer: nested depth limit in compact report mode. |
SC0PE_AI_OLLAMA_HTTP_TIMEOUT |
60 |
AI analyzer: Ollama HTTP call timeout (seconds). |
SC0PE_AI_HTTP_PROBE_TIMEOUT |
20 |
AI analyzer: short probe timeout before full HTTP generation call (seconds). |
SC0PE_AI_OLLAMA_CLI_TIMEOUT |
90 |
AI analyzer: Ollama CLI call timeout (seconds). |
SC0PE_AI_TOTAL_BUDGET |
120 |
AI analyzer: total generation budget across retries/fallback attempts (seconds). |
SC0PE_AI_OLLAMA_NUM_PREDICT |
700 |
AI analyzer: default generation token budget per Ollama call. |
SC0PE_AI_OLLAMA_RETRY_NUM_PREDICT |
1400 |
AI analyzer: generation token budget for retry when output looks truncated. |
SC0PE_AI_OLLAMA_NUM_CTX |
8192 |
AI analyzer: Ollama context window setting. |
SC0PE_AI_DISABLE_THINK |
1 |
AI analyzer: sends think=false (if supported) and removes thinking artifacts from displayed/saved output. |
SC0PE_AI_ALLOW_MODEL_FALLBACK |
1 |
AI analyzer: when 1, can try locally available Ollama models if configured model fails/unavailable. |
SC0PE_AI_SKIP_CLOUD_WHEN_LOCAL |
1 |
AI analyzer: prefer local models over cloud-tagged models when local options exist. |
SC0PE_AI_SKIP_CLOUD_CLI |
1 |
AI analyzer: skip cloud-tagged models for CLI fallback attempts. |
SC0PE_AI_MAX_MODEL_CANDIDATES |
4 |
AI analyzer: maximum number of candidate models to try in fallback chain. |
SC0PE_AI_FILTER_WHITELIST_DOMAINS |
1 |
AI IoC sanitizer: filter legit/whitelisted domains using Systems/Multiple/whitelist_domains.txt. |
SC0PE_AI_ALLOW_SHORT_DOMAINS |
0 |
IoC sanitizer: allow very short SLD domains (disabled by default to reduce false positives). |
SC0PE_AI_MIN_SLD_LEN |
4 |
IoC sanitizer: minimum registrable-label length for domain validation. |
SC0PE_AI_ALLOW_FILELIKE_TLDS |
0 |
IoC sanitizer: when 0, filters file-like pseudo-domains such as sheet1.xml. |
SC0PE_AI_KEEP_LOCAL_PATHS |
0 |
IoC sanitizer: when 0, removes local analysis machine paths from file_paths. |
SC0PE_DOC_AUTO_EXTRACT_MACROS |
1 |
Document analyzer: automatically extract detected VBA/XLM macros into report output (0 disables). |
SC0PE_REPORT_MAX_MACRO_CHARS |
50000 |
Document analyzer: per-macro text cap used while saving extracted macro content into JSON report. |
SC0PE_EMAIL_DNSBL_FILTER_NOISY |
1 |
Email analyzer: filter noisy DNSBL providers to reduce false positives. |
SC0PE_EMAIL_DNSBL_ALLOW_UNKNOWN |
0 |
Email analyzer: include/exclude DNSBL hits with unknown category. |
SC0PE_EMAIL_DNSBL_NOISY_PROVIDERS |
unset | Email analyzer: comma-separated extra DNSBL providers to treat as noisy. |
SC0PE_AUTO_CLEANUP_ATTACHMENTS |
unset | Email analyzer: set 1 for auto-delete, 0 for never-delete, unset for interactive prompt. |
OLLAMA_HOST |
http://127.0.0.1:11434 |
AI report analysis backend (Ollama). Set this if Ollama is remote or on a different host/port. |
JAVA_HOME |
unset | Android analyzer: helps locate Java runtime for JADX. Set this if Java is installed but not detected. |
Description: You can perform basic analysis and triage against your samples.
Usage: python qu1cksc0pe.py --file suspicious_file --analyze
Description: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.
Effective Against:
- .NET Executables
Usage: python qu1cksc0pe.py --file suspicious_file --resource
Note
Android APK resource scanning was moved into the Android analyzer. Use:
python qu1cksc0pe.py --file app.apk --analyze --report
The JSON report includes resource_scan. Set SC0PE_ANDROID_REPORT_DETAILED=1 to keep more details in the report.
Description: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.
Usage: python qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan--packer
Usage: python qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat CategoriesDetectionsCrowdSourced IDS Reports
Usage for --vtFile: python qu1cksc0pe.py --file suspicious_file --vtFile
Note
In Web UI flow, Standart Analysis, Document, and Archive presets also execute VirusTotal file lookup in background and show the result in the report page.
Description: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!
Effective Against:
- Word Documents (.doc, .docm, .docx)
- Excel Documents (.xls, .xlsm, .xlsx)
- Portable Document Format (.pdf)
- OneNote Documents (.one)
- Rich Text Format Documents (.rtf)
- VBScript/VBA Family (.vbs, .vbe, .vba, .vb, .bas, .cls, .frm)
Usage: python qu1cksc0pe.py --file suspicious_document --docs
Description: Analyze Windows Batch scripts for suspicious commands, encoded payload patterns, URLs/domains/IPs, and rule matches.
Usage: python qu1cksc0pe.py --file suspicious_script.bat --analyze --report
Description: With this feature you can perform checks for suspicious files against archive files.
Effective Against:
- ZIP
- RAR
- ACE
Usage: python qu1cksc0pe.py --file suspicious_archive_file --archive
With report: python qu1cksc0pe.py --file suspicious_archive_file --archive --report
With AI support: python qu1cksc0pe.py --file suspicious_archive_file --archive --ai
Note
ACE archive support requires 7z/7zz to be installed (setup scripts install it on supported systems).
Description: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).
Usage: python qu1cksc0pe.py --file suspicious_file --sigcheck
Description: MITRE ATT&CK mapping is generated automatically during static analysis based on detected APIs/functions/patterns.
Effective Against:
- Windows Executables
- Linux Executables
Usage: python qu1cksc0pe.py --file suspicious_file --analyze
Description: Android permission analysis now classifies permissions as Dangerous, Special, or Info and writes an aggregate permission_summary into JSON reports.
Usage: python qu1cksc0pe.py --file suspicious_app.apk --analyze --report
Note
In Web UI report page, Android permissions are shown in a dedicated section with counters and per-permission state badges.
Description: You can get programming language information from given file.
Usage: python qu1cksc0pe.py --file suspicious_executable --lang
Description: You can use Qu1cksc0pe in command line mode.
Usage: python qu1cksc0pe.py --console
Note
You must connect a virtual device or physical device to your computer.
Usage: python qu1cksc0pe.py --watch
android_dynamic_analysis.mp4
Description: Linux dynamic flow is menu-driven and lets you choose emulation or live process monitoring.
Usage: python qu1cksc0pe.py --watch
After selecting Linux:
- Option
1: Binary Emulation (isolated environment). - Option
2: PID Monitoring (Frida+psutil).
Notes:
- PID monitoring accepts both numeric PID and process name.
- Interactive Linux prompts support TAB autocomplete (selection, path, PID/name).
- Emulation fallback order: Docker SDK -> Docker CLI -> host
qemu(if Docker is unavailable).
Usage: python qu1cksc0pe.py --watch
windows_process_analyzer.mp4
- The Cyber Security Hub
- Kitploit - Top 20 Most Popular Hacking Tools in 2021
- CSIRT.MAI
- Vulners
- RedPacket Security
- Bournemouth University - CERT
- Hacking Articles - Digital Forensics Tools Mindmap
- HackGit - Twitter Post
- Daily Dark Web - Twitter Post
- SANS ISC - Blog Post
- Korben - Blog Post
- heise online - Blog Post
