#533 use oletools.crypto to manage office encrypted documents

TheHive-Project · Sep 13, 2019 · 5d112fa · 5d112fa
1 parent 52da152
commit 5d112fa
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 614 deletions.
diff --git a/analyzers/FileInfo/FileInfo.json b/analyzers/FileInfo/FileInfo.json
@@ -1,6 +1,6 @@
 {
   "name": "FileInfo",
-  "version": "6.0",
+  "version": "7.0",
   "author": "TheHive-Project",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",

diff --git a/analyzers/FileInfo/submodules/submodule_oletools.py b/analyzers/FileInfo/submodules/submodule_oletools.py
@@ -1,10 +1,10 @@
 """FileInfo oletools submodule; WIP"""
 from .submodule_base import SubmoduleBaseclass
-from oletools.olevba3 import VBA_Parser_CLI
+from oletools.olevba import VBA_Parser_CLI
 from oletools.msodde import process_file
-from oletools.olevba3 import __version__ as olevba_version
+from oletools.olevba import __version__ as olevba_version
 from oletools.msodde import __version__ as msodde_version
-
+from oletools.crypto import is_encrypted, decrypt
 
 
 class OLEToolsSubmodule(SubmoduleBaseclass):
@@ -28,14 +28,20 @@ def check_file(self, **kwargs):
                 'PPT',
                 'PPTM',
                 'PPTX'
-            ] or kwargs.get('mimetype').startswith("application/vnd.openxmlformats-officedocument"):
+            ] or (kwargs.get('mimetype').startswith("application/vnd.openxmlformats-officedocument") or
+                 kwargs.get('mimetype').startswith("application/encrypted") or
+                 kwargs.get('mimetype').startswith("application/vnd.ms-")
+            ):
+                if kwargs.get('mimetype').startswith("application/encrypted") and not is_encrypted(kwargs.get('file')):
+                    return False
                 return True
         except KeyError:
             return False
         return False
 
     def analyze_file(self, path):
         # Run the analyze functions
+        self.encypted = is_encrypted(path)
         self.analyze_vba(path)
         self.analyze_dde(path)
 
@@ -92,30 +98,31 @@ def module_summary(self):
         self.summary['taxonomies'] = taxonomies
         self.summary['Olevba'] = olevba_version
         self.summary['Msodde'] = msodde_version
+        self.summary['encrypted_file'] = self.encypted
 
         return self.summary
 
     def analyze_vba(self, path):
         """Analyze a given sample for malicious vba."""
 
         try:
-
+            if is_encrypted(path):
+                path = decrypt(path)
             vba_parser = VBA_Parser_CLI(path, relaxed=True)
             vbaparser_result = vba_parser.process_file_json(show_decoded_strings=True,
                                                             display_code=True,
                                                             hide_attributes=False,
                                                             vba_code_only=False,
                                                             show_deobfuscated_code=True,
                                                             deobfuscate=True)
-
             self.add_result_subsection('Olevba', vbaparser_result)
         except TypeError:
             self.add_result_subsection('Oletools VBA Analysis failed', 'Analysis failed due to an filetype error.'
                                                                        'The file does not seem to be a valid MS-Office '
                                                                        'file.')
 
     def analyze_dde(self, path):
-        version = {'Msodde version': msodde_version}
+        # version = {'Msodde version': msodde_version}
         results = process_file(path)
         if len(results) > 0:
             self.add_result_subsection('DDE Analysis', {'DDEUrl': results})