#212 add summary analysis in full report

TheHive-Project · Jun 1, 2018 · faf912a · faf912a
1 parent 3ddbb70
commit faf912a
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 10 deletions.
diff --git a/analyzers/FileInfo/fileinfo_analyzer.py b/analyzers/FileInfo/fileinfo_analyzer.py
@@ -15,24 +15,41 @@ def __init__(self):
         self.filetype = pyexifinfo.fileType(self.filepath)
         self.mimetype = magic.Magic(mime=True).from_file(self.filepath)
 
+
+    def build_summary(self, summary, module_results):
+
+        for m in module_results:
+            if m["submodule_section_summary"]["taxonomies"] != []:
+
+                summary += m["submodule_section_summary"]["taxonomies"]
+
+        return summary
+
     def run(self):
         results = []
+        summary = []
 
         # Add metadata to result directly as it's mandatory
         m = MetadataSubmodule()
+        matadata_results = m.analyze_file(self.filepath)
         results.append({
             'submodule_name': m.name,
-            'results': m.analyze_file(self.filepath)
+            'results': matadata_results
         })
+        self.build_summary(summary, matadata_results)
 
         for module in available_submodules:
             if module.check_file(file=self.filepath, filetype=self.filetype, filename=self.filename,
                                  mimetype=self.mimetype):
+                module_results = module.analyze_file(self.filepath)
                 results.append({
-                    'submodule_name': module.name,
-                    'results': module.analyze_file(self.filepath)
+                   'submodule_name': module.name,
+                   'results': module_results
                 })
-        self.report({'results': results})
+
+                self.build_summary(summary, module_results)
+
+        self.report({'results': results, 'summary': summary})
 
 
 if __name__ == '__main__':

diff --git a/analyzers/FileInfo/submodules/submodule_metadata.py b/analyzers/FileInfo/submodules/submodule_metadata.py
@@ -53,12 +53,14 @@ def analyze_file(self, path):
         # Get libmagic info
         magicliteral = magic.Magic().from_file(path)
         mimetype = magic.Magic(mime=True).from_file(path)
+        filetype = pyexifinfo.fileType(path)
+        taxonomy = {'level': 'info', 'namespace': 'FileInfo', 'predicate': 'Filetype', 'value': filetype}
+
         self.add_result_subsection('File information', {
             'Magic literal': magicliteral,
             'MimeType': mimetype,
             'Filetype': pyexifinfo.fileType(path),
-            'Filesize': os.path.getsize(path)
-
-        })
+            'Filesize': os.path.getsize(path)},{'taxonomies': [taxonomy]}
+                                   )
 
         return self.results
diff --git a/analyzers/FileInfo/submodules/submodule_oletools.py b/analyzers/FileInfo/submodules/submodule_oletools.py
@@ -38,8 +38,36 @@ def analyze_file(self, path):
 
         return self.results
 
+
+
+    def olevba_summary(self, analysis):
+        """ Build summary for Olevba part of the submodule"""
+
+        summary = {'taxonomies': []}
+
+
+        type_list = []
+        for a in analysis:
+            if a["type"] not in type_list:
+                type_list.append(a["type"])
+
+        predicate = "Olevba"
+        namespace = "FileInfo"
+        level = "info"
+
+        if "Suspicious" in type_list:
+            level = 'suspicious'
+        if "VBA string" in type_list:
+            summary["taxonomies"].append(self.build_taxonomy(level, namespace, predicate, "VBA string"))
+        if "Base64 String" in type_list:
+            summary["taxonomies"].append(self.build_taxonomy(level, namespace, predicate, "Base64 string"))
+        if "Hex String" in type_list:
+            summary["taxonomies"].append(self.build_taxonomy(level, namespace, predicate, "Hex string"))
+
+        return summary
+
     def analyze_vba(self, path):
-        """Analyze a given sample for malicios vba."""
+        """Analyze a given sample for malicious vba."""
         try:
 
             vba_parser = VBA_Parser_CLI(path, relaxed=True)
@@ -49,7 +77,7 @@ def analyze_vba(self, path):
                                                             vba_code_only=False,
                                                             show_deobfuscated_code=True,
                                                             deobfuscate=True)
-            self.add_result_subsection('Olevba', vbaparser_result)
+            self.add_result_subsection('Olevba', vbaparser_result, self.olevba_summary(vbaparser_result["analysis"]))
         except TypeError:
             self.add_result_subsection('Oletools VBA Analysis failed', 'Analysis failed due to an filetype error.'
                                                                        'The file does not seem to be a valid MS-Office '
@@ -58,6 +86,8 @@ def analyze_vba(self, path):
     def analyze_dde(self, path):
         results = process_file(path)
         if len(results) > 0:
-            self.add_result_subsection('Oletools DDE Analysis', {'DDEUrl': results})
+            self.add_result_subsection('Oletools DDE Analysis', {'DDEUrl': results}, {"DDE": True})
         else:
             self.add_result_subsection('Oletools DDE Analysis', {'Info': 'No DDE URLs found.'})
+
+