QuickSand is a new Python-based analysis framework to analyze suspected malware documents to identify exploits in streams of different encodings or compressions. QuickSand supports documents, PDFs, Mime/Email, Postscript and other common formats. A built-in command line tool can process a single document or directory of documents.

QuickSand scans within the decoded streams of documents and PDFs using Yara signatures to identify exploits or high risk active content.

A hosted version is available to try without any installation at scan.tylabs.com.


An older C version is also available, it can break xor obfuscation that was popular in the early days of document malware.

Tool C Python Online
QuickSand C Python Online

Get QuickSand on GitHub