static_file_analysis
1.0.0
Análisis de archivos maliciosos en profundidad con las reglas de clamscan y yara.
Esta herramienta escrita en Python Langage hace el vínculo entre la almeja y el yara. Puede ayudarlo a calificar el archivo sospechoso, puede construir un gráfico de árbol visual para visualización rápida de archivos incrustados (tipo principal, tipo, sospechoso o contenido peligroso), y puede calcular el indicador de compromiso. Utiliza clamav para extraer archivos incrustados y hacer json árbol, luego envía todos los archivos embebidos a Yara con contexto (en variables externs) para verificar las reglas. Si coinciden con reglas, da una puntuación de esta regla. El puntaje de regla MAX se agrega a la parte superior del árbol, puede agregar la puntuación global que usa todo el puntaje encontrado para obtener una puntuación de coeficiente. Característica adicional, la herramienta puede extraer un patrón específico (URL, host, IP, ...).
Mi Contener Docker contiene herramientas de análisis estático y otras herramientas para análisis profundos cuando coinciden con las reglas de Yara:
Herramientas especiales
Descomitador
Emulador/sandbox
Depurador/DBI
Otros
Puede usar otras herramientas que no incluyan en mi Contener Docker:
Static analysis by clamav and yara rules -- Contact: [email protected]
Usage: analysis.py [-c /usr/local/bin/clamscan] [-d /tmp/extract_emmbedded] [-p pattern.db] [-s /tmp/graph.png] [-j /tmp/result.json] [-m coef_path] [-g] [-v] [-b password.pwdb] [-i /usr/bin/tesseract] [-l fra] [-V API_KEY_VT] [-J] [-O] -f/-u path_filename/URL -y yara_rules_path1/ -a yara_rules_path2/
-h/--help : for help to use
-f/--filename= : path of filename to analysis
-u/--url= : url analysis use thug
-y/--yara_rules_path= : path of rules yara level 1
-a/--yara_rules_path2= : path of rules yara level 2
-p/--pattern= : path of pattern filename for data miner
-b/--password= : path of password clamav (.pwdb see: https://blog.didierstevens.com/2017/02/15/quickpost-clamav-and-zip-file-decryption/)
-c/--clamscan_path= : path of binary clamscan [>=0.99.3]
-m/--coef_path= : path of coef config file
-d/--directory_tmp= : path of directory to extract emmbedded file(s)
-j/--json_save= : path filename where save json result (JSON)
-i/--image= : path of 'tesseract' for analysis on potential social engenering by image
-J/--java_decomp : Java decompile class/jar with procyon (apt-get install procyon-decompiler)
-l/--lang_image= : 'tesseract' lang ocr extratc (eng, fra, ...)
-g/--graph : generate graphe of analyz
-s/--save_graph= : path filename where save graph (PNG)
-O/--osint : active OSINT (hash, filename, domaine, url)
OSINT hybridanalisys env key: HYBRID_KEY
OTX env key: OTX_KEY
XFORCE env key: XFORCE_KEY & env pass: XFORCE_PASS
VirusTotal env key: VT_KEY
MISP env key: MISP_KEY & MISP env host: MISP_HOST
INTEZER env key: INTEZER_KEY
-r/--remove= : remove tempory files
-V/--virustotal= : API Key
-v/--verbose= : verbose mode
example: analysis.py -c ./clamav-devel/clamscan/clamscan -f /home/analyz/strange/invoice.rtf -y /home/analyz/yara_rules1/ -a /home/analyz/yara_rules2/ -b /home/analyz/password.pwdb -i /usr/bin/tesseract -l fra -g -O
example: analysis.py -c ./clamav-devel/clamscan/clamscan -u www.exploitkit.top/id?000 -y /home/analyz/yara_rules1/ -a /home/analyz/yara_rules2/ -b /home/analyz/password.pwdb -i /usr/bin/tesseract -l fra -g -O
lionel@local:~/static_analysis$ python3 analysis.py -c clamav-devel/clamscan/clamscan -y yara_rules1/ -a yara_rules2/ -j /tmp/log.json -p pattern.db -g -f tests/pdf/jaff.pdf
Static analysis by clamav and yara rules -- Contact: [email protected]
Create directory temp for emmbedded file: /tmp/tmpUee2rj
Extract emmbedded file(s) with clamav...
Analyz result...
Find resultat in json file:/tmp/tmpUee2rj/clamav-028bf4c91d9aac94faca83886b9286c2.tmp...
Phase one finish!
{
"ContainedObjects" : [
{
"ContainedObjects" : [
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/content-types " ><Default', 't') "
}
],
"FileMD5" : " ac4128108023cf8d9a6233069bd79f7a " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1636 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.000 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/relationships " ><Relationship', 'p') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument " ', ' " ') "
}
],
"FileMD5" : " 77bf61733a633ea617a4db76ef769a4d " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 590 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.001 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/relationships " ><Relationship', 'p') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/customXml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/2006/relationships/vbaProject " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/image " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings " ', ' " ') "
}
],
"FileMD5" : " 83bb79d7c3592786e13acb56729962ce " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1213 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.002 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/drawing/2014/chartex " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/markup-compatibility/2006 " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/math " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/wordprocessingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2012/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2015/wordml/symex " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingGroup " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingInk " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2006/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingShape " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/main " ><a:graphicData', 'a') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/picture " ><pic:pic', 'c') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/picture " ><pic:nvPicPr><pic:cNvPr', 'r') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/drawing/2010/main " ', ' " ') "
}
],
"FileMD5" : " 452348b0a8f499c7f125ba299731db0a " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 4362 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.003 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/relationships " ><Relationship', 'p') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/2006/relationships/wordVbaData " ', ' " ') "
}
],
"FileMD5" : " dd79e6440b0515bfcf771c2c5286a2c8 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 277 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.004 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [
{
"ExtractInfo" : [],
"FileMD5" : " 1b51a805a2682c24956f156ff25370ff " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 292 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/cbff003cd69100e2ee9bd33df50c21ed_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/cbff003cd69100e2ee9bd33df50c21ed_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http:// \ x00 \ xec', ' \ xec') "
}
],
"FileMD5" : " 0df7f5507fcccc3bc22787fe7872e97a " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 584 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/d95679752134a2d9eb61dbd7b91c4bcc_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/d95679752134a2d9eb61dbd7b91c4bcc_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [],
"FileMD5" : " 8b485527ad9d96fe72d3fba385f0ad95 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 97 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/88144fbcb62650fa72c360688f4772c7_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/88144fbcb62650fa72c360688f4772c7_0 "
],
"RiskScore" : 5 ,
"Yara" : [
{
"OLE_EMBEDDED_OFFICE" : {
"description" : " MS Forms Embedded object " ,
"score" : 5
}
}
]
},
{
"ExtractInfo" : [],
"FileMD5" : " 711e41c84dfaa4cbd891ef22cc4e4670 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 599 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/8fa14cdd754f91cc6554c9e71929cce7_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/8fa14cdd754f91cc6554c9e71929cce7_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('Templat@eDeriv', '') "
}
],
"FileMD5" : " 8a01d7813c6dc6dddf8398f15e45756f " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1897 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/5f51988f4ee5c4069990859c24855c57_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/5f51988f4ee5c4069990859c24855c57_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [],
"FileMD5" : " fcc31d50fc38f37137eb5b2cf2992049 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1504 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/bad8252681321a1d94d0718a0815fac9_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/bad8252681321a1d94d0718a0815fac9_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('OptionButton1k@0', '') "
},
{
"EMAIL" : " ('OptionButton2l@0', '') "
}
],
"FileMD5" : " 0eed2de1ef79e6ce4a26385fd5179d5e " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 6394 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/ae4f6474bee50ccdf1a6b853ba8ad32a_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/ae4f6474bee50ccdf1a6b853ba8ad32a_0 "
],
"RiskScore" : 4 ,
"Yara" : [
{
"Autorun_VBA_OFFICE" : {
"description" : " Macro autorun " ,
"score" : 4
}
}
]
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('Hr2d2_@c3po', '') "
},
{
"EMAIL" : " ('cF@reshID', '') "
},
{
"EMAIL" : " ('ob@jWMISe', '') "
}
],
"FileMD5" : " 828a327f1ddc838d4a8c19619cebfee8 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 3030 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/007ccaa83aa7674f1166352c3605b85c_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/007ccaa83aa7674f1166352c3605b85c_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('tp@d', '') "
}
],
"FileMD5" : " c81239f4227f76858b5e2a5bd59afa0e " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 9634 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/a63bcda17f702e84c1b7056f6d8c5f3a_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/a63bcda17f702e84c1b7056f6d8c5f3a_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('SF@Cs', '') "
},
{
"EMAIL" : " ('VBE@a', '') "
}
],
"FileMD5" : " 54c9cc25c5082fee750c4e05196a595b " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 945 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/736007832d2167baaae763fd3a3f3cf1_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/736007832d2167baaae763fd3a3f3cf1_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [],
"FileMD5" : " d34c4883d74d420deb12df91f806b869 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1158 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/69bb302a1ba85bde463b0b6faaea307a_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/69bb302a1ba85bde463b0b6faaea307a_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('co,lI@BA', '') "
},
{
"EMAIL" : " ('agReturn@Immedi', '') "
},
{
"EMAIL" : " ('Vb@Method', '') "
},
{
"EMAIL" : " ('[email protected]', '') "
}
],
"FileMD5" : " 0ceca08df2cc3d69bdf6852ca2e341ce " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 6783 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/f9cce95db5c816a935906a713c78aff5_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/f9cce95db5c816a935906a713c78aff5_0 "
],
"RiskScore" : 5 ,
"Yara" : [
{
"Filesystem_Vba_OFFICE" : {
"description" : " Macro acces file system object with AutoOpen " ,
"score" : 5
}
}
]
},
{
"ExtractInfo" : [],
"FileMD5" : " 504c824e56e508c488c2f87a63d847d9 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 155 ,
"FileType" : " CL_TYPE_BINARY_DATA " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/7fdc011725f5de6d8e10d5fc95398f30_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/7fdc011725f5de6d8e10d5fc95398f30_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [],
"FileMD5" : " f2a98e8d16b27939c3cbdef3bebbdc1c " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2||||->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 666 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/46f86faa6bbf9ac94a7e459509a20ed0_0 " ,
" /tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/46f86faa6bbf9ac94a7e459509a20ed0_0 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " bcbe7dbf9f99c4e0e534c3a2ac4f6ab4 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2 " ,
"FileSize" : 382 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-48b2068c734e0dd2524018b91bdc11f1.tmp "
],
"RiskScore" : 4 ,
"Yara" : [
{
"Autorun_VBA_OFFICE" : {
"description" : " Macro autorun " ,
"score" : 4
}
}
]
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " ef4e50431c649c188d1a98d2f303d7a5 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2 " ,
"FileSize" : 340 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-e2dd3b37165650823319a0a29d38ef8f.tmp "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " 0d51f172a35e98a1bb73438b694e52ab " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2 " ,
"FileSize" : 650 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-9ccce68e0439e9037ff734e27b28b998.tmp "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " 95a55e38861c99daf23ce36d40a101d9 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2 " ,
"FileSize" : 5682 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-f1a4e0a4bbef215ddbd1d85d2681e7bd.tmp "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " 6ed1b03a4828d15bca41ac0d6604e763 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2 " ,
"FileSize" : 1240 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-a5674c419d8687d2de2fb5db2fafc049.tmp "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " 621e099c1b10736db897668de89afb0b " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_MSOLE2 " ,
"FileSize" : 3384 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-f1803c916e78e329874565085182796e.tmp "
],
"RiskScore" : 5 ,
"Yara" : [
{
"Filesystem_Vba_OFFICE" : {
"description" : " Macro acces file system object with AutoOpen " ,
"score" : 5
}
}
]
}
],
"ExtractInfo" : [
{
"EMAIL" : " ('Templat@eDeriv', '') "
},
{
"EMAIL" : " ('tp@d', '') "
},
{
"EMAIL" : " ('Hr2d2_@c3po', '') "
},
{
"EMAIL" : " ('cF@reshID', '') "
},
{
"EMAIL" : " ('ob@jWMISe', '') "
},
{
"EMAIL" : " ('SF@Cs', '') "
},
{
"EMAIL" : " ('co,lI@BA', '') "
},
{
"EMAIL" : " ('agReturn@Immedi', '') "
},
{
"EMAIL" : " ('Vb@Method', '') "
},
{
"EMAIL" : " ('[email protected]', '') "
},
{
"EMAIL" : " ('OptionButton1k@0', '') "
},
{
"EMAIL" : " ('OptionButton2l@0', '') "
},
{
"EMAIL" : " ('VBE@a', '') "
},
{
"URI" : " ('http:// \ x00 \ xec', ' \ xec') "
}
],
"FileMD5" : " d45c11614628b38df9301bccf18c67f4 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 39936 ,
"FileType" : " CL_TYPE_MSOLE2 " ,
"HasMacros" : true ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.005 "
],
"RiskScore" : 5 ,
"Streams" : [
" o " ,
" _1_compobj " ,
" _3_vbframe " ,
" f " ,
" projectwm " ,
" window1 " ,
" thisdocument " ,
" _vba_project " ,
" module1 " ,
" module3 " ,
" module2 " ,
" strix " ,
" dir " ,
" project "
],
"Yara" : [
{
"Autorun_VBA_OFFICE" : {
"description" : " Macro autorun " ,
"score" : 4
}
},
{
"OLE_EMBEDDED_OFFICE" : {
"description" : " MS Forms Embedded object " ,
"score" : 5
}
},
{
"Contains_VBA_macro_code" : {
"description" : " Detect a MS Office document with embedded VBA macro code " ,
"score" : 4
}
},
{
"Filesystem_Vba_OFFICE" : {
"description" : " Macro acces file system object with AutoOpen " ,
"score" : 5
}
}
]
},
{
"ExtractInfo" : [
{
"EMAIL" : " ('Im,@K', '') "
},
{
"IPV6" : " :: "
}
],
"FileMD5" : " e932c3ba84ba2136bbe887b1254afb01 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 20595 ,
"FileType" : " CL_TYPE_GRAPHICS " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.006 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/thememl/2012/main " ', ' " ') "
}
],
"FileMD5" : " 3191d541839e4d100931377c4c66e0a1 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 6850 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.007 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/markup-compatibility/2006 " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/math " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/wordprocessingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2012/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2015/wordml/symex " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/schemaLibrary/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word " ', ' " ') "
}
],
"FileMD5" : " 0e05f5fa4d7d9ba3d121e3256b258612 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 10483 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.008 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/drawing/2014/chartex " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/markup-compatibility/2006 " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/math " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/wordprocessingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2012/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2015/wordml/symex " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingGroup " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingInk " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2006/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordprocessingShape " ', ' " ') "
}
],
"FileMD5" : " 50cc63ff6a12de92356de52f57adf3e3 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1828 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.009 "
],
"RiskScore" : 4 ,
"Yara" : [
{
"Autorun_VBA_OFFICE" : {
"description" : " Macro autorun " ,
"score" : 4
}
}
]
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/relationships " ><Relationship', 'p') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships/customXmlProps " ', ' " ') "
}
],
"FileMD5" : " 7e5e23715ab49ce56f9130d4c6534a30 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 296 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.010 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/customXml " ><ds:schemaRefs><ds:schemaRef', 'f') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/bibliography " /></ds:schemaRefs></ds:datastoreItem>', '') "
}
],
"FileMD5" : " 17882ebab97c0d9c2098e1e489d6b49c " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 341 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.011 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/bibliography " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/bibliography " ', ' " ') "
}
],
"FileMD5" : " 217ee5ba5f9835428ff1ab7501faf018 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 306 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.012 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/extended-properties " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes " ><Template>Normal.dotm</Template><TotalTime>0</TotalTime><Pages>2</Pages><Words>1</Words><Characters>6</Characters><Application>Microsoft', 't') "
}
],
"FileMD5" : " e4dc388c5b665ba7030de6e50cde8add " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 993 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.013 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/package/2006/metadata/core-properties " ', ' " ') "
},
{
"URI" : " ('http://purl.org/dc/elements/1.1/ " ', ' " ') "
},
{
"URI" : " ('http://purl.org/dc/terms/ " ', ' " ') "
},
{
"URI" : " ('http://purl.org/dc/dcmitype/ " ', ' " ') "
},
{
"URI" : " ('http://www.w3.org/2001/XMLSchema-instance " ><dc:title></dc:title><dc:subject></dc:subject><dc:creator>1</dc:creator><cp:keywords></cp:keywords><dc:description></dc:description><cp:lastModifiedBy>1</cp:lastModifiedBy><cp:revision>2</cp:revision><dcterms:created', 'd') "
}
],
"FileMD5" : " abd46fbaf5ad78913bc85bfe69385a8c " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 959 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.014 "
],
"RiskScore" : 6 ,
"Yara" : [
{
"XMLHTTP_Vba_OFFICE" : {
"description" : " Macro use XMLHTTP " ,
"score" : 4
}
},
{
"Download_Vba_OFFICE" : {
"description" : " Macro use download function with AutoOpen " ,
"score" : 6
}
}
]
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/markup-compatibility/2006 " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/wordprocessingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2012/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2015/wordml/symex " ', ' " ') "
}
],
"FileMD5" : " 3cdd557e84bbb1f9815c181f8ed4c245 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 29715 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.015 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/markup-compatibility/2006 " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/wordprocessingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2012/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2015/wordml/symex " ', ' " ') "
}
],
"FileMD5" : " d6147024db17aa5d980f14b31fb1461f " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 1299 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.016 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [
{
"URI" : " ('http://schemas.openxmlformats.org/markup-compatibility/2006 " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/officeDocument/2006/relationships " ', ' " ') "
},
{
"URI" : " ('http://schemas.openxmlformats.org/wordprocessingml/2006/main " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2010/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2012/wordml " ', ' " ') "
},
{
"URI" : " ('http://schemas.microsoft.com/office/word/2015/wordml/symex " ', ' " ') "
}
],
"FileMD5" : " 261ba76e04bd8ddbd0f4e7a50d02f4c7 " ,
"FileParentType" : " ->CL_TYPE_PDF->CL_TYPE_OOXML_WORD->CL_TYPE_TEXT_ASCII " ,
"FileSize" : 576 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.017 "
],
"RiskScore" : 0 ,
"Yara" : []
}
],
"CoreProperties" : {
"Attributes" : {
"cp" : " http://schemas.openxmlformats.org/package/2006/metadata/core-properties " ,
"dc" : " http://purl.org/dc/elements/1.1/ " ,
"dcmitype" : " http://purl.org/dc/dcmitype/ " ,
"dcterms" : " http://purl.org/dc/terms/ " ,
"xsi" : " http://www.w3.org/2001/XMLSchema-instance "
},
"Author" : {
"Value" : [
1
]
},
"ContentStatus" : {
"Value" : [
" Microsoft.XMLHTTPLOVEISAdodb.streaMLOVEISshell.ApplicationLOVEISWscript.shellLOVEISProcessLOVEISGeTLOVEISTeMPLOVEISTypeLOVEISopenLOVEISwriteLOVEISresponseBodyLOVEISsavetofileLOVEIS \ drefudre.exe "
]
},
"Created" : {
"Value" : [
" 2017-05-15T09:18:00Z "
]
},
"Description" : {},
"Keywords" : {},
"LastAuthor" : {
"Value" : [
1
]
},
"Modified" : {
"Value" : [
" 2017-05-15T09:18:00Z "
]
},
"Revision" : {
"Value" : [
2
]
},
"Subject" : {},
"Title" : {}
},
"CorePropertiesFileCount" : 1 ,
"ExtendedProperties" : {
"AppVersion" : {
"Value" : [
" 16.0000 "
]
},
"Application" : {
"Value" : [
" Microsoft Office Word "
]
},
"Attributes" : {
"vt" : " http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes " ,
"xmlns" : " http://schemas.openxmlformats.org/officeDocument/2006/extended-properties "
},
"Characters" : {
"Value" : [
6
]
},
"CharactersWithSpaces" : {
"Value" : [
6
]
},
"Company" : {},
"DocSecurity" : {
"Value" : [
0
]
},
"HyperlinksChanged" : {
"Value" : [
false
]
},
"Lines" : {
"Value" : [
1
]
},
"LinksUpToDate" : {
"Value" : [
false
]
},
"Pages" : {
"Value" : [
2
]
},
"Paragraphs" : {
"Value" : [
1
]
},
"ScaleCrop" : {
"Value" : [
false
]
},
"SharedDocs" : {
"Value" : [
false
]
},
"Template" : {
"Value" : [
" Normal.dotm "
]
},
"TotalTime" : {
"Value" : [
0
]
},
"Words" : {
"Value" : [
1
]
}
},
"ExtendedPropertiesFileCount" : 1 ,
"ExtractInfo" : [
{
"EMAIL" : " ('Im,@K', '') "
},
{
"IPV6" : " :: "
},
{
"IPV6" : " :: "
},
{
"IPV6" : " :: "
}
],
"FileMD5" : " f115d1fe4f579841c054b03d1ba29c97 " ,
"FileParentType" : " ->CL_TYPE_PDF " ,
"FileSize" : 55486 ,
"FileType" : " CL_TYPE_OOXML_WORD " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf00_01i "
],
"RiskScore" : 4 ,
"Yara" : [
{
"Contains_VBA_macro_code" : {
"description" : " Detect a MS Office document with embedded VBA macro code " ,
"score" : 4
}
}
]
},
{
"ExtractInfo" : [
{
"URI" : " ( " http://www.geoplugin.net/json.gp?jsoncallback=JSON_CALLBACK').then(function " , 'n') "
}
],
"FileMD5" : " 4f1d0119bae3797e905b2e8f2f92df90 " ,
"FileParentType" : " ->CL_TYPE_PDF " ,
"FileSize" : 6432 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf01_01i "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [],
"FileMD5" : " 19874245d5e732f1073758e3a9431e5d " ,
"FileParentType" : " ->CL_TYPE_PDF " ,
"FileSize" : 67 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf03_01i "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ExtractInfo" : [],
"FileMD5" : " caf34a525d2c871e6df8233afb84beea " ,
"FileParentType" : " ->CL_TYPE_PDF " ,
"FileSize" : 16 ,
"FileType" : " CL_TYPE_TEXT_ASCII " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf04 "
],
"RiskScore" : 0 ,
"Yara" : []
},
{
"ContainedObjects" : [],
"ExtractInfo" : [],
"FileMD5" : " d41d8cd98f00b204e9800998ecf8427e " ,
"FileParentType" : " ->CL_TYPE_PDF " ,
"FileSize" : 0 ,
"FileType" : " CL_TYPE_UNKNOWN " ,
"PathFile" : [
" /tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf02 "
],
"RiskScore" : 0 ,
"Yara" : []
}
],
"ExtractInfo" : [
{
"EMAIL" : " ('Z7@0j', '') "
}
],
"FileMD5" : " eb680f46c268e6eac359b574538de569 " ,
"FileSize" : 53257 ,
"FileType" : " CL_TYPE_PDF " ,
"GlobalRiskScore" : 6 ,
"GlobalRiskScoreCoef" : 1 ,
"Magic" : " CLAMJSONv0 " ,
"PDFStats" : {
"CreationDate" : " D:20170515122212+03'00' " ,
"Creator" : " 8026155 " ,
"DeflateObjectCount" : 4 ,
"EmbeddedFileCount" : 1 ,
"ImageCount" : 1 ,
"JavaScriptObjectCount" : 3 ,
"JavascriptObjects" : [
7 ,
13 ,
14
],
"ModificationDate" : " D:20170515122212+03'00' " ,
"ObjectsWithoutDictionaries" : [
3
],
"OpenActionCount" : 1 ,
"PDFVersion" : " 1.4 " ,
"PageCount" : 1 ,
"Producer" : " u5469u7865u5374u6168u7072u2092u2e35u2e35u3031ua920u3032u3030u322du3130u2036u5469u7865u2074u7247 "
},
"RiskScore" : 0 ,
"RootFileType" : " CL_TYPE_PDF " ,
"TempDirExtract" : " /tmp/tmpUee2rj " ,
"Yara" : []
} Recompile clamav with json options and HARDENING compilation
./remake_clamav.sh
git clone https://github.com/lprat/static_file_analysis
cd static_file_analysis/docker
mkdir /tmp/samples && cp file_to_analyz.pdf /tmp/samples
docker-compose run sfa
$python3 analysis.py -c ./clamav-devel/clamscan/clamscan -f samples/file_to_analyz.pdf -y yara_rules1/ -a yara_rules2/ -b password.pwdb -i /usr/bin/tesseract -l fra -g -O -v &> /tmp/log
git clone https://github.com/lprat/static_file_analysis
cd static_file_analysis/docker
#edit file docker-compose_api.yaml and change ENV APIKEY & UPDATE PROXY (if need)
docker-compose -f docker-compose_api.yml run sfa
Para crear reglas de Yara con esta herramienta, debe usar meta campo:
Puede usar las variables externas de compilación con el contexto de clamav y enviarlas a Yara con script python (análisis.py):
¡Verifique la ruta yara_rules para ver muestras!
Agregué esta herramienta en los servicios de Crits. Creé una solicitud de extracción en el servicio CRIT, pero aún no está validado, pero hasta ahora puede usar mi repositorio de GitHub.
Investigación colaborativa sobre amenazas - Crits
Servicios de Github Crits
Mi cuenta de Github de los servicios de Crits modificados
Run Docker Compose o Docker Run para la API de lanzamiento (Docker LPRAT SFA en la nube)
docker-compose -f ./docker-compose_api.yml up -d
or
docker run -ti -e "API_KEY=myapikey" -p 8000:8000 docker_sfa
Con su navegador favorito, vaya a https: // $ IP: 8000/
Run Docker Compose o Docker Run para la API de lanzamiento (Docker LPRAT SFA en la nube)
docker-compose -f ./docker-compose_api.yml up -d
or
docker run -ti -e "API_KEY=myapikey" -p 8000:8000 docker_sfa
Solicitud en el puerto 8000:
Check File:
curl -k -F 'file=@/home/lionel/malwares/calc.xll' -H "x-api-key: mykeyapi" https://127.0.0.1:8000/api/sfa_check_file
Check URL:
curl -k --header "Content-Type: application/json" --request POST --data '{"url":"http://www.google.fr"}' -H "x-api-key: mykeyapi" https://127.0.0.1:8000/api/sfa_check_url
Return JSON:
{"graph.png":"/download/700c4644ec40bfdada4502ffd5cb1411","result.json":"/download/9b9c453dc45b665c596b0f58c1c272b1","risk_score":4,"trace-serr.debug":"/download/d41d8cd98f00b204e9800998ecf8427e","trace-sout.debug":"/download/ef59eb8e65035a1064c1c32565bc0e74","ef59eb8e65035a1064c1c32565bc0000":"/download/ef59eb8e65035a1064c1c32565bc000"}
"ef59eb8e65035a1064c1c32565bc0000": for download embed file md5
Download file embed/json result/graph/...
curl -k -X 'POST' -H "x-api-key: mykeyapi" https://127.0.0.1:8000/download/ef59eb8e65035a1064c1c32565bc0000
Configuración Exemple para Nginx:
server {
listen $IP:443 ssl;
server_name sfa.$yourdomain;
location / {
# Use certificate auth
# if ($ssl_client_verify != SUCCESS) {
# return 403;
# }
# if ($ssl_client_s_dn_cn = "NAME-On-Cert") {
# return 403;
# }
# Use login/password auth
# auth_basic "Authentification";
# auth_basic_user_file /etc/nginx/.passwdweb;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# Docker IP
proxy_pass https://172.17.0.1:8000;
}
}
En Sigma_Rules, puede encontrar el formato de regla Sigma para detectar archivos para analizar.
