Skip to content

Commit

Permalink
#212 WIP - improve summary
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeromeleonard
jeromeleonard committed Jun 3, 2018
1 parent faf912a commit d4b58e8
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 8 deletions.
14 changes: 9 additions & 5 deletions analyzers/FileInfo/fileinfo_analyzer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@ def __init__(self):
self.mimetype = magic.Magic(mime=True).from_file(self.filepath)


def build_summary(self, summary, module_results):
def build_summary(self, module_results):

summary = []
for m in module_results:
if m["submodule_section_summary"]["taxonomies"] != []:

Expand All @@ -34,20 +35,23 @@ def run(self):
matadata_results = m.analyze_file(self.filepath)
results.append({
'submodule_name': m.name,
'results': matadata_results
'results': matadata_results,
'summary': self.build_summary(matadata_results)

})
self.build_summary(summary, matadata_results)
# self.build_summary(summary, matadata_results)

for module in available_submodules:
if module.check_file(file=self.filepath, filetype=self.filetype, filename=self.filename,
mimetype=self.mimetype):
module_results = module.analyze_file(self.filepath)
results.append({
'submodule_name': module.name,
'results': module_results
'results': module_results,
'summary': self.build_summary(module_results)
})

self.build_summary(summary, module_results)
# self.build_summary(summary, module_results)

self.report({'results': results, 'summary': summary})

Expand Down
2 changes: 2 additions & 0 deletions analyzers/FileInfo/submodules/submodule_base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ def analyze_file(self, path):
"""
pass

def section_summary(self, report):

def add_result_subsection(self, subsection_header, results, summary={"taxonomies": []}):
"""
Adding a subsection to the section of the analyzer module
Expand Down
20 changes: 17 additions & 3 deletions analyzers/FileInfo/submodules/submodule_oletools.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
from .submodule_base import SubmoduleBaseclass
from oletools.olevba3 import VBA_Parser_CLI
from oletools.msodde import process_file
from oletools.olevba3 import __version__ as olevba_version
from oletools.msodde import __version__ as msodde_version



class OLEToolsSubmodule(SubmoduleBaseclass):
Expand Down Expand Up @@ -43,7 +46,9 @@ def analyze_file(self, path):
def olevba_summary(self, analysis):
""" Build summary for Olevba part of the submodule"""

summary = {'taxonomies': []}
version = {'Olevba version': olevba_version}
summary = {'taxonomies': [],
'version': [version]}


type_list = []
Expand All @@ -68,6 +73,9 @@ def olevba_summary(self, analysis):

def analyze_vba(self, path):
"""Analyze a given sample for malicious vba."""



try:

vba_parser = VBA_Parser_CLI(path, relaxed=True)
Expand All @@ -77,17 +85,23 @@ def analyze_vba(self, path):
vba_code_only=False,
show_deobfuscated_code=True,
deobfuscate=True)

self.add_result_subsection('Olevba', vbaparser_result, self.olevba_summary(vbaparser_result["analysis"]))
except TypeError:
self.add_result_subsection('Oletools VBA Analysis failed', 'Analysis failed due to an filetype error.'
'The file does not seem to be a valid MS-Office '
'file.')

def analyze_dde(self, path):
version = {'Msodde version': msodde_version}
summary = {'taxonomies':[],
'version': [version]}
results = process_file(path)
if len(results) > 0:
self.add_result_subsection('Oletools DDE Analysis', {'DDEUrl': results}, {"DDE": True})
summary["taxonomies"].append(self.build_taxonomy('suspicious', 'FileInfo', 'DDE', 'URL found'))
self.add_result_subsection('Oletools DDE Analysis', {'DDEUrl': results}, summary)
else:
self.add_result_subsection('Oletools DDE Analysis', {'Info': 'No DDE URLs found.'})
summary["taxonomies"].append(self.build_taxonomy('info', 'FileInfo', 'DDE', 'Not found'))
self.add_result_subsection('Oletools DDE Analysis', {'Info': 'No DDE URLs found.'}, summary)


37 changes: 37 additions & 0 deletions thehive-templates/FileInfo_3_0/long.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@

</style>


<br>

<uib-tabset active="active">
<uib-tab index="$index" ng-repeat="result in content.results" heading="{{result.submodule_name}}" disable="tab.disabled">
<br>
Expand All @@ -30,7 +33,41 @@ <h4 class="panel-title">

<!-- Oletools -->
<div ng-if="result.submodule_name=='Oletools Submodule'">


<div class="panel-body">

<!-- summary -->
<div>
<div ngif=result.summary class="panel panel-primary">
<div class="panel-heading">
<h4 class="panel-title">Summary</h4>
</div>
<div class="panel-body">
<dl class="dl-horizontal">
<dt>Olevba version</dt>
<dd class="wrap">{{result.summary["Olevba version"]}}</dd>
</dl>
<dl class="dl-horizontal">
<dt>Msodde version</dt>
<dd class="wrap">{{result.summary["Msodde version"]}}</dd>
</dl>


<dl class="dl-horizontal">
<dt>Oletools scanner</dt>
<dd class="wrap">
<span class="label" ng-repeat="t in result.summary.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}={{t.value}}
</span>
</dd>
</dl>

</div>

</div>
</div>

<div ng-repeat="r in result.results">
<uib-accordion ng-if="r.submodule_section_header=='Olevba'">

Expand Down

0 comments on commit d4b58e8

Please sign in to comment.