def test_lnk2_generic(self):
s = Static()
s.set_task({
"category": "file",
"package": "generic",
"target": "lnk_2.lnk",
})
s.file_path = "tests/files/lnk_2.lnk"
assert "elf" not in s.run()
def test_pdf_metadata(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf-sample.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf-sample.pdf"
obj = s.run()["pdf"]
assert len(obj) == 2
assert obj[1] == {
"author": "cdaily",
"creation": "D:20000629102108+11'00'",
"creator": "Microsoft Word 8.0",
"javascript": [],
"modification": "2013-10-28T15:24:13-04:00",
"producer": "Acrobat Distiller 4.0 for Windows",
"subject": "",
"title": "This is a test PDF file",
"urls": [],
"version": 1,
}
def init(package, *filename):
id_ = task_id()
init_analysis(id_, package, *filename)
init_yara()
s = Static()
s.set_task({
"id": id_,
"category": "file",
"package": package,
"target": filename[-1],
})
s.file_path = cwd("binary", analysis=id_)
e = ExtractManager.for_task(id_)
return s.run(), e.results()
def test_summary_office2(self, p, request):
s = Static()
s.set_task({
"category": "file",
"package": "doc",
"target": "createproc1.docm",
})
s.file_path = "tests/files/createproc1.docm"
p._get_report.return_value = {
"static": s.run(),
}
r = AnalysisRoutes.detail(request, 1, "static").content
assert "ThisDocument" in r
assert "Sub AutoOpen" in r
assert "process.Create" in r
assert "notepad.exe" in r
def test_lnk2(self):
s = Static()
s.set_task({
"category": "file",
"package": "lnk",
"target": "lnk_2.lnk",
})
s.file_path = "tests/files/lnk_2.lnk"
obj = s.run()["lnk"]
assert obj["basepath"] == "C:\\Windows\\System32\\cmd.exe"
assert obj["flags"] == {
"cmdline": True, "description": True, "icon": True,
"references": True, "relapath": True, "shellidlist": True,
"workingdir": True,
}
assert "digitale" in obj["description"]
assert obj["icon"] == "C:\\Windows\\System32\\write.exe"
assert "cmd.exe" in obj["relapath"]
assert "bitsadmin.exe" in obj["cmdline"]
assert "/transfer" in obj["cmdline"]
def test_lnk1(self):
s = Static()
s.set_task({
"category": "file",
"package": "lnk",
"target": "lnk_1.lnk",
})
s.file_path = "tests/files/lnk_1.lnk"
obj = s.run()["lnk"]
assert obj["basepath"] == "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
assert obj["flags"] == {
"cmdline": True, "description": True, "icon": True,
"references": True, "relapath": True, "shellidlist": True,
"workingdir": False,
}
assert obj["description"] == "windows photo viewer"
assert "shell32.dll" in obj["icon"]
assert "powershell.exe" in obj["relapath"]
assert "-NoProfile" in obj["cmdline"]
assert "eABlACIA" in obj["cmdline"]
def test_phishing0_pdf(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "phishing0.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/phishing0.pdf"
assert "googleattachmentsigned" in s.run()["pdf"][0]["urls"][0]
def test_lnk1(self):
s = Static()
s.set_task({
"category": "file",
"package": "lnk",
"target": "lnk_1.lnk",
})
s.file_path = "tests/files/lnk_1.lnk"
obj = s.run()["lnk"]
assert obj[
"basepath"] == "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
assert obj["flags"] == {
"cmdline": True,
"description": True,
"icon": True,
"references": True,
"relapath": True,
"shellidlist": True,
"workingdir": False,
}
assert obj["description"] == "windows photo viewer"
assert "shell32.dll" in obj["icon"]
assert "powershell.exe" in obj["relapath"]
assert "-NoProfile" in obj["cmdline"]
assert "eABlACIA" in obj["cmdline"]
def test_pdf(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf0.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf0.pdf"
r = s.run()["pdf"][0]
assert "var x = unescape" in r["javascript"][0]["orig_code"]
def test_pdf_stringjs(self):
set_cwd(self.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf1-stringjs.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf1-stringjs.pdf"
r = s.run()["pdf"][12]
assert "app.alert({" in r["javascript"][0]["orig_code"]
def test_pdf_workercrash(self, md):
set_cwd(self.mkdtemp())
md.return_value = None
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf0.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf0.pdf"
r = s.run()
assert r["pdf"] == []
def test_pdf_ignorefake(self):
set_cwd(self.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "fakepdf.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/fakepdf.pdf"
assert s.run() == {
"pdf": [],
}
def test_archive_pdf(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "archive",
"package": "pdf",
"options": {
"filename": "files/pdf0.pdf",
},
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf0.zip"
assert "%48%65" in s.run()["pdf"][0]["javascript"][0]["orig_code"]
def test_lnk2(self):
s = Static()
s.set_task({
"category": "file",
"package": "generic",
"target": "lnk_2.lnk",
})
s.file_path = "tests/files/lnk_2.lnk"
assert "elf" not in s.run()
def test_pdf_endian(self):
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf-endianerror.pdf"
})
s.file_path = "tests/files/pdf-endianerror.pdf"
s.set_options({
"pdf_timeout": 30,
})
r = s.run()
assert len(r["pdf"][0]["urls"]) == 63
assert r["pdf"][0]["urls"][54] == (
u"http://yourmirror.net/kali-security\u548c"
u"http://yourmirror.net/kali-images"
)
def test_pdf_mock(self, p):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf0.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf0.pdf"
p.return_value = ["hello"]
assert s.run()["pdf"] == ["hello"]
p.assert_called_once_with(mock.ANY, ("tests/files/pdf0.pdf", ),
timeout=30)
def test_summary_pdf_nometadata(self, p, request):
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": __file__,
})
s.set_options({
"pdf_timeout": 10,
})
s.file_path = __file__
p._get_report.return_value = {
"static": s.run(),
}
r = AnalysisRoutes.detail(request, 1, "static").content
assert "No PDF metadata could be extracted!" in r
def test_summary_pdf_metadata(self, p, request):
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf-sample.pdf",
})
s.set_options({
"pdf_timeout": 10,
})
s.file_path = "tests/files/pdf-sample.pdf"
p._get_report.return_value = {
"static": s.run(),
}
r = AnalysisRoutes.detail(request, 1, "static").content
assert "Microsoft Word 8.0" in r
assert "This is a test PDF file" in r
def test_pdf_stringjs(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf1-stringjs.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf1-stringjs.pdf"
r = s.run()["pdf"][12]
assert "app.alert({" in r["javascript"][0]["orig_code"]
def test_pdf_attach(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf_attach.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf_attach.pdf"
obj, = s.run()["pdf"]
assert len(obj["javascript"]) == 1
assert "exportDataObject" in obj["javascript"][0]["orig_code"]
assert len(obj["attachments"]) == 1
assert obj["attachments"][0]["filename"] == "789IVIIUXSF110.docm"
assert "kkkllsslll" in obj["openaction"]
def test_office(self):
s = Static()
s.set_task({
"category": "file",
"package": "doc",
"target": "createproc1.docm",
})
s.file_path = "tests/files/createproc1.docm"
r = s.run()["office"]
assert "ThisDocument" in r["macros"][0]["orig_code"]
assert "Sub AutoOpen" in r["macros"][1]["orig_code"]
assert 'process.Create("notepad.exe"' in r["macros"][1]["orig_code"]
def test_pdf_ignorefake(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "fakepdf.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/fakepdf.pdf"
assert s.run() == {
"pdf": [],
}
def test_pdf_workercrash(self, md):
set_cwd(tempfile.mkdtemp())
md.return_value = None
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf0.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf0.pdf"
r = s.run()
assert r["pdf"] == []
def test_pdf_endian(self):
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf-endianerror.pdf"
})
s.file_path = "tests/files/pdf-endianerror.pdf"
s.set_options({
"pdf_timeout": 30,
})
r = s.run()
assert len(r["pdf"][0]["urls"]) == 63
assert r["pdf"][0]["urls"][54] == (
u"http://yourmirror.net/kali-security\u548c"
u"http://yourmirror.net/kali-images"
)
def test_summary_pdf_nometadata(self, p, request):
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": __file__,
})
s.set_options({
"pdf_timeout": 10,
})
s.file_path = __file__
p._get_report.return_value = {
"static": s.run(),
}
r = AnalysisRoutes.detail(request, 1, "static").content
assert "No PDF metadata could be extracted!" in r
def test_pdf_mock(self, p):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf0.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf0.pdf"
p.return_value = ["hello"]
assert s.run()["pdf"] == ["hello"]
p.assert_called_once_with(
mock.ANY, ("tests/files/pdf0.pdf",), timeout=30
)
def test_summary_pdf_metadata(self, p, request):
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf-sample.pdf",
})
s.set_options({
"pdf_timeout": 10,
})
s.file_path = "tests/files/pdf-sample.pdf"
p._get_report.return_value = {
"static": s.run(),
}
r = AnalysisRoutes.detail(request, 1, "static").content
assert "Microsoft Word 8.0" in r
assert "This is a test PDF file" in r
def init(package, *filename):
id_ = task_id()
init_analysis(id_, package, *filename)
init_yara()
s = Static()
s.set_task({
"id": id_,
"category": "file",
"package": package,
"target": filename[-1],
})
s.file_path = cwd("binary", analysis=id_)
e = ExtractManager.for_task(id_)
return s.run(), e.results()
def test_pdf_attach(self):
set_cwd(tempfile.mkdtemp())
s = Static()
s.set_task({
"category": "file",
"package": "pdf",
"target": "pdf_attach.pdf",
})
s.set_options({
"pdf_timeout": 30,
})
s.file_path = "tests/files/pdf_attach.pdf"
obj, = s.run()["pdf"]
assert len(obj["javascript"]) == 1
assert "exportDataObject" in obj["javascript"][0]["orig_code"]
assert len(obj["attachments"]) == 1
assert obj["attachments"][0]["filename"] == "789IVIIUXSF110.docm"
assert "kkkllsslll" in obj["openaction"]
def test_summary_office2(self, p, request):
s = Static()
s.set_task({
"category": "file",
"package": "doc",
"target": "createproc1.docm",
})
s.file_path = "tests/files/createproc1.docm"
p._get_report.return_value = {
"static": s.run(),
}
r = AnalysisRoutes.detail(request, 1, "static").content
assert "ThisDocument" in r
assert "Sub AutoOpen" in r
assert "process.Create" in r
assert "notepad.exe" in r
def test_push_script_recursive():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
open(cwd("yara", "office", "ole.yar"), "wb").write("""
rule OleInside {
strings:
$s1 = "Win32_Process"
condition:
filename matches /word\/vbaProject.bin/ and $s1
}
""")
init_yara()
s = Static()
s.file_path = "tests/files/createproc1.docm"
s.set_task({
"id": 1,
"category": "file",
"target": s.file_path,
"package": "doc",
})
s.run()
assert ExtractManager.for_task(1).results()[0]["yara"] == [{
"name":
"OleInside",
"meta": {
"description": "(no description)",
},
"offsets": {
"s1": [
(3933, 0),
],
},
"strings": [
"Win32_Process".encode("base64").strip(),
],
}]
def test_lnk2(self):
s = Static()
s.set_task({
"category": "file",
"package": "lnk",
"target": "lnk_2.lnk",
})
s.file_path = "tests/files/lnk_2.lnk"
obj = s.run()["lnk"]
assert obj["basepath"] == "C:\\Windows\\System32\\cmd.exe"
assert obj["flags"] == {
"cmdline": True, "description": True, "icon": True,
"references": True, "relapath": True, "shellidlist": True,
"workingdir": True,
}
assert "digitale" in obj["description"]
assert obj["icon"] == "C:\\Windows\\System32\\write.exe"
assert "cmd.exe" in obj["relapath"]
assert "bitsadmin.exe" in obj["cmdline"]
assert "/transfer" in obj["cmdline"]
def test_push_script_recursive():
set_cwd(tempfile.mkdtemp())
cuckoo_create()
mkdir(cwd(analysis=1))
open(cwd("yara", "office", "ole.yar"), "wb").write("""
rule OleInside {
strings:
$s1 = "Win32_Process"
condition:
filename matches /word\/vbaProject.bin/ and $s1
}
""")
init_yara()
s = Static()
s.file_path = "tests/files/createproc1.docm"
s.set_task({
"id": 1,
"category": "file",
"target": s.file_path,
"package": "doc",
})
s.run()
assert ExtractManager.for_task(1).results()[0]["yara"] == [{
"name": "OleInside",
"meta": {
"description": "(no description)",
},
"offsets": {
"s1": [
(3933, 0),
],
},
"strings": [
"Win32_Process".encode("base64").strip(),
],
}]
def test_static_none(self):
s = Static()
s.set_task({
"category": "none",
})
assert s.run() is None
