Merge pull request #264 from CybercentreCanada/identify/onenote

cccs-jh · web-flow · commit e4109e0014a1 · 2021-06-04T15:17:13.000-04:00
Add OneNote file detection to custom magic (dev)
diff --git a/assemblyline/common/custom.magic b/assemblyline/common/custom.magic
@@ -16,6 +16,8 @@
 >&0     regex/10        \^(Subject|MIME)
 >>0x10 	search/0x100    multipart/related
 >>>0x50	search/0x300	urn:schemas-microsoft-com:office    custom: document/office/mhtml
+# OneNote Files
+0	string	\344R\\{\214\330\247M\256\261Sx\320)\226\323	custom: document/office/onenote
 # VBE files
 0   string
 >&0     regex/20        \^#@~\\^[^=]{6}==     custom: code/vbe
@@ -97,4 +99,4 @@
 0   short   0x3C4D
 >&0 short   0xA1B2        custom: network\tcpdump
 # Email
-0   string  DKIM-Signature:     custom: document/email
+0   string  DKIM-Signature:     custom: document/email
diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py
@@ -246,6 +246,7 @@
     'document/office/word': '.doc',
     'document/office/wordperfect': 'wp',
     'document/office/wordpro': 'lwp',
+    'document/office/onenote': '.one',
     'document/pdf': '.pdf',
     'document/email': '.eml',
     'executable/windows/pe32': '.exe',
