From 6b9697e4e7bbe4d2f6db51f3eb4d901b6a404b7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Wed, 16 May 2018 08:30:36 +0200 Subject: [PATCH] #212 WIP - update long report, improve submodules --- .../FileInfo/submodules/submodule_metadata.py | 2 +- .../FileInfo/submodules/submodule_outlook.py | 2 +- thehive-templates/FileInfo_3_0/long.html | 516 +++++------------- 3 files changed, 129 insertions(+), 391 deletions(-) diff --git a/analyzers/FileInfo/submodules/submodule_metadata.py b/analyzers/FileInfo/submodules/submodule_metadata.py index a1e0f3c77..8fd4accc2 100644 --- a/analyzers/FileInfo/submodules/submodule_metadata.py +++ b/analyzers/FileInfo/submodules/submodule_metadata.py @@ -53,7 +53,7 @@ def analyze_file(self, path): # Get libmagic info magicliteral = magic.Magic().from_file(path) mimetype = magic.Magic(mime=True).from_file(path) - self.add_result_subsection('Filetype determination', { + self.add_result_subsection('File information', { 'Magic literal': magicliteral, 'MimeType': mimetype, 'Filetype': pyexifinfo.fileType(path), diff --git a/analyzers/FileInfo/submodules/submodule_outlook.py b/analyzers/FileInfo/submodules/submodule_outlook.py index 856a0b66d..8a1ed43dd 100644 --- a/analyzers/FileInfo/submodules/submodule_outlook.py +++ b/analyzers/FileInfo/submodules/submodule_outlook.py @@ -12,7 +12,7 @@ def __init__(self): def check_file(self, **kwargs): try: - if kwargs.get('mimetype') == 'application/vnd.ms-outlook': + if kwargs.get('mimetype') in ['application/vnd.ms-outlook', 'application/CDFV2-unknown']: return True except KeyError: return False diff --git a/thehive-templates/FileInfo_3_0/long.html b/thehive-templates/FileInfo_3_0/long.html index c834e02ec..8420b6bb4 100644 --- a/thehive-templates/FileInfo_3_0/long.html +++ b/thehive-templates/FileInfo_3_0/long.html @@ -1,4 +1,4 @@ -
+
- -
- -
- Basic Properties -
-
-
-

{{r.submodule_section_header}}

-
-
{{k}}
-
{{v}}
-
+ + +
+ +
+
+
+
+

+ {{r.submodule_section_header}} +

+
+
+
+
{{k}}
+
{{v}}
+
+
+
-
- -
-
- File Identification -
-
-
-
MD5
-
{{content.Identification['MD5']}}
-
-
-
SHA1
-
{{content.Identification['SHA1']}}
-
-
-
SHA256
-
{{content.Identification['SHA256']}}
-
-
-
impash
-
{{content.Identification['impash']|| "-"}} -
-
-
-
ssdeep
-
{{content.Identification['ssdeep']|| "-"}} -
-
-
-
pehash
-
{{content.Identification['pehash']|| "-"}} -
-
-
-
Operating System
-
{{content.Identification['OperatingSystem']}} -
-
-
-
PE Type
-
{{content.Identification['PEType']}}
-
-
-
Magic literal
-
{{content.Magic}}
-
-
-
MimeType
-
{{content.Mimetype}}
-
-
-
- - -
-
- File Metadata (Exiftool) -
-
-
-
{{k}}
-
{{v}}
-
- -
-
- - -
-
- PE Basic Information -
-
-
-
{{I.Info}}
-
{{I.Value}}
-
-
-
Compilation Timestamp
-
{{content.PE.BasicInformation.CompilationTimestamp}}
-
-
-
File Size
-
{{content.PE.BasicInformation.FileSize}}
-
-
-
Entry Point (EP)
-
{{content.PE.BasicInformation.EntryPoint}}
-
-
-
Target Machine
-
{{content.PE.BasicInformation.TargetMachine}}
-
-
-
- - -
-
- PE Sections -
-
- - - - - - - - - - - - - - - - -
SectionSizeOfRawDataEntroy
- {{section.entryname}} - {{section.SizeOfRawData}}{{section.Entropy}}
+ +
+
+
+ + + +
+
+ + + + + + + + + + + + + + + +
TypeKeywordDescription
{{l.type}}{{l.keyword}}{{l.description}}
+
+
+ + +
+
+
+
vba_filename
+
{{m.vba_filename}}
+
+
+
ole_stream
+
{{m.ole_stream}}
+
+
+
code
+ 
{{m.code}}
+
+
+
+ + +
+ 
+                                    {{r.submodule_section_content.code_deobfuscated}}
+
+
+ +
+
+

+

+
+
+
{{k}}
+ 
{{v}}
+
+
+
+
+
+
+ +
+
+
+
+

+ {{r.submodule_section_header}} +

+
+
-
- MD5 -
-
- {{section.MD5}} -
+
From
+
{{r.submodule_section_content.from}}
-
- SHA1 -
-
- {{section.SHA1}} -
+
To
+
{{r.submodule_section_content.to}}
-
- SHA256 -
-
- {{section.SHA256}} -
+
Cc
+
{{r.submodule_section_content.cc}}
+
+
+
Date
+
{{r.submodule_section_content.date}}
+
+
+
Subject
+
{{r.submodule_section_content.subject}}
+
+
+
Body
+ 
{{r.submodule_section_content.body}}
+
+
+
Attachment hashes
+ 
{{r.submodule_section_content.attachments}}
+
+
+
All Headers
+ 
{{r.submodule_section_content.header}}
-
-
-
- - - -
-
- PE Import Address Table -
-
-
-
- - - - {{entry.entryname}} -
- -
-
- {{entry.symbols.length}} - items -
-
-
- {{sym}}
-
-
-
-
- - -
-
- Olevba Report -
-
-

Summary

-
-
Olevba version:
-
v{{content.MSOffice.olevba.Version}}
-
- -
-
Olevba detection :
-
{{content.MSOffice.olevba.vba}}
-
- -
-
Olevba scanner :
-
- - - - Not suspicious - Suspicious VBA -   - - Base64 strings -   - - Hex strings - - - - - Not suspicious - - - -
-
- -
-

Detailed Information

- -
-
-
-

OLE stream: - {{stream['OLE stream']}}

-
-
-
Information
-
-
VBA filename:
-
{{stream['VBA filename']}}
-
-
-
Filename:
-
{{stream['Filename']}}
-
- -
-
Olevba analysis
-
- - - - - - - - - - - - - - - -
TypeKeywordDescription
{{result.type}}{{result.keyword}}{{result.description}}
- -
-
- -
- - Show code - Hide code - -
-
- - 
-                                      {{stream['VBA code']}}
-
- - - -
-
- -
-
-
-
- -
-
-
- Analysis failure -
-
- {{content.MSOffice.olevba.Error}} -
-
-
-
- -
- - - - -
-
- PDFiD Report -
-
-

Summary

-
-
PDFiD version:
-
v{{content.PDF.pdfid[0].pdfid.version}}
-
- -
-
Suspicious:
-
{{content.PDF.pdfid[0].suspicious}}
-
- -
-
PDFiD detection :
-
- - - - /RichMedia -   - - - - /OpenAction -   - - - - /JavaScript -   - - - - /Launch -   - - - - /ObjStm -   - - -
-
-
- -
-
- - - -
-
- {{(artifact.data || artifact.attachment.name) | fang}} -
-
- {{content.errorMessage}} -
+
+ + +