def unquarantine(file):
base = os.path.basename(file)
realbase, ext = os.path.splitext(base)
if ext.lower() == ".bup" or olefile.isOleFile(file):
return mcafee_unquarantine(file)
return forefront_unquarantine(file)
def unquarantine(f):
base = os.path.basename(f)
realbase, ext = os.path.splitext(base)
if ext.lower() == ".bup" or olefile.isOleFile(f):
try:
return mcafee_unquarantine(f)
except:
pass
if ext.lower() == ".quar":
try:
return mbam_unquarantine(f)
except:
pass
try:
quarfile = kav_unquarantine(f)
if quarfile:
return quarfile
except:
pass
try:
quarfile = trend_unquarantine(f)
if quarfile:
return quarfile
except:
pass
try:
quarfile = sep_unquarantine(f)
if quarfile:
return quarfile
except:
pass
try:
quarfile = mse_unquarantine(f)
if quarfile:
return quarfile
except:
pass
return forefront_unquarantine(f)
def unquarantine(f):
base = os.path.basename(f)
realbase, ext = os.path.splitext(base)
if ext.lower() == ".bup" or olefile.isOleFile(f):
try:
return mcafee_unquarantine(f)
except:
pass
if ext.lower() == ".quar":
try:
return mbam_unquarantine(f)
except:
pass
try:
quarfile = kav_unquarantine(f)
if quarfile:
return quarfile
except:
pass
try:
quarfile = trend_unquarantine(f)
if quarfile:
return quarfile
except:
pass
try:
quarfile = sep_unquarantine(f)
if quarfile:
return quarfile
except:
pass
try:
quarfile = mse_unquarantine(f)
if quarfile:
return quarfile
except:
pass
return forefront_unquarantine(f)
def mcafee_unquarantine(f):
if not olefile.isOleFile(f):
return None
with open(f, "rb") as quarfile:
qdata = quarfile.read()
oledata = olefile.OleFileIO(qdata)
olefiles = oledata.listdir()
quarfiles = list()
for item in olefiles:
if "Details" in item:
details = bytearray_xor(
bytearray(oledata.openstream("Details").read()), 0x6a)
else:
# Parse for quarantine files
for fileobj in item:
if "File_" in fileobj:
quarfiles.append(fileobj)
decoded = dict()
# Try and decode quarantine files (sometimes there are none)
for item in quarfiles:
try:
decoded[item] = bytearray_xor(
bytearray(oledata.openstream(item).read()), 0x6a)
except:
pass
# Try and get original file name from details
if decoded.keys():
config = details.splitlines()
malname = ""
for item in decoded.keys():
parseit = False
for check in config:
if check.startswith("["):
if item in check:
parseit = True
if check == '':
parseit = False
if parseit and check.startswith("OriginalName="):
malname = str(check.split("\\")[-1])
if not malname:
malname = "McAfeeDequarantineFile"
# currently we're only returning the first found file in the quarantine file
return store_temp_file(decoded[item], malname)
def mcafee_unquarantine(file):
if not olefile.isOleFile(file):
return None
with open(file, "rb") as quarfile:
qdata = quarfile.read()
oledata = olefile.OleFileIO(qdata)
olefiles = oledata.listdir()
quarfiles = list()
for item in olefiles:
if "Details" in item:
details = bytearray_xor(bytearray(oledata.openstream("Details").read()), 0x6a)
else:
# Parse for quarantine files
for fileobj in item:
if "File_" in fileobj:
quarfiles.append(fileobj)
decoded = dict()
# Try and decode quarantine files (sometimes there are none)
for item in quarfiles:
try:
decoded[item] = bytearray_xor(bytearray(oledata.openstream(item).read()), 0x6a)
except:
pass
# Try and get original file name from details
if decoded.keys():
config = details.splitlines()
malname = ""
for item in decoded.keys():
parseit = False
for check in config:
if check.startswith("["):
if item in check:
parseit = True
if check == '':
parseit = False
if parseit and check.startswith("OriginalName="):
malname = str(check.split("\\")[-1])
if not malname:
malname = "McAfeeDequarantineFile"
# currently we're only returning the first found file in the quarantine file
return store_temp_file(decoded[item], malname)
def _parse(self, filepath):
"""Parses an office document for static information.
Currently (as per olefile) the following formats are supported:
- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
- PowerPoint 2007+ (.pptm, .ppsm)
@param filepath: Path to the file to be analyzed.
@return: results dict or None
"""
results = dict()
vba = VBA_Parser(filepath)
results["Metadata"] = dict()
# The bulk of the metadata checks are in the OLE Structures
# So don't check if we're dealing with XML.
if olefile.isOleFile(filepath):
ole = olefile.OleFileIO(filepath)
meta = ole.get_metadata()
results["Metadata"] = meta.get_meta()
# Fix up some output formatting
buf = self.convert_dt_string(results["Metadata"]["SummaryInformation"]["create_time"])
results["Metadata"]["SummaryInformation"]["create_time"] = buf
buf = self.convert_dt_string(results["Metadata"]["SummaryInformation"]["last_saved_time"])
results["Metadata"]["SummaryInformation"]["last_saved_time"] = buf
ole.close()
if vba.detect_vba_macros():
results["Metadata"]["HasMacros"] = "Yes"
results["Macro"] = dict()
results["Macro"]["Code"] = dict()
ctr = 0
# Create IOC and category vars. We do this before processing the
# macro(s) to avoid overwriting data when there are multiple
# macros in a single file.
results["Macro"]["Analysis"] = dict()
results["Macro"]["Analysis"]["AutoExec"] = list()
results["Macro"]["Analysis"]["Suspicious"] = list()
results["Macro"]["Analysis"]["IOCs"] = list()
results["Macro"]["Analysis"]["HexStrings"] = list()
for (subfilename, stream_path, vba_filename, vba_code) in vba.extract_macros():
vba_code = filter_vba(vba_code)
if vba_code.strip() != "":
# Handle all macros
ctr += 1
outputname = "Macro" + str(ctr)
results["Macro"]["Code"][outputname] = list()
results["Macro"]["Code"][outputname].append(
(convert_to_printable(vba_filename), convert_to_printable(vba_code))
)
autoexec = detect_autoexec(vba_code)
suspicious = detect_suspicious(vba_code)
iocs = vbadeobf.parse_macro(vba_code)
hex_strs = detect_hex_strings(vba_code)
if autoexec:
for keyword, description in autoexec:
results["Macro"]["Analysis"]["AutoExec"].append((keyword, description))
if suspicious:
for keyword, description in suspicious:
results["Macro"]["Analysis"]["Suspicious"].append((keyword, description))
if iocs:
for pattern, match in iocs:
results["Macro"]["Analysis"]["IOCs"].append((pattern, match))
if hex_strs:
for encoded, decoded in hex_strs:
results["Macro"]["Analysis"]["HexStrings"].append((encoded, decoded))
# Delete and keys which had no results. Otherwise we pollute the
# Django interface with null data.
if results["Macro"]["Analysis"]["AutoExec"] == []:
del results["Macro"]["Analysis"]["AutoExec"]
if results["Macro"]["Analysis"]["Suspicious"] == []:
del results["Macro"]["Analysis"]["Suspicious"]
if results["Macro"]["Analysis"]["IOCs"] == []:
del results["Macro"]["Analysis"]["IOCs"]
if results["Macro"]["Analysis"]["HexStrings"] == []:
del results["Macro"]["Analysis"]["HexStrings"]
else:
results["Metadata"]["HasMacros"] = "No"
oleid = OleID(filepath)
indicators = oleid.check()
for indicator in indicators:
if indicator.name == "Word Document" and indicator.value == True:
results["Metadata"]["DocumentType"] = indicator.name
if indicator.name == "Excel Workbook" and indicator.value == True:
results["Metadata"]["DocumentType"] = indicator.name
if indicator.name == "PowerPoint Presentation" and indicator.value == True:
results["Metadata"]["DocumentType"] = indicator.name
return results
def _parse(self, filepath):
"""Parses an office document for static information.
Currently (as per olefile) the following formats are supported:
- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
- PowerPoint 2007+ (.pptm, .ppsm)
@param filepath: Path to the file to be analyzed.
@return: results dict or None
"""
results = dict()
try:
vba = VBA_Parser(filepath)
except:
return results
results["Metadata"] = dict()
# The bulk of the metadata checks are in the OLE Structures
# So don't check if we're dealing with XML.
if olefile.isOleFile(filepath):
ole = olefile.OleFileIO(filepath)
meta = ole.get_metadata()
results["Metadata"] = meta.get_meta()
# Fix up some output formatting
buf = self.convert_dt_string(
results["Metadata"]["SummaryInformation"]["create_time"])
results["Metadata"]["SummaryInformation"]["create_time"] = buf
buf = self.convert_dt_string(
results["Metadata"]["SummaryInformation"]["last_saved_time"])
results["Metadata"]["SummaryInformation"]["last_saved_time"] = buf
ole.close()
if vba.detect_vba_macros():
results["Metadata"]["HasMacros"] = "Yes"
results["Macro"] = dict()
results["Macro"]["Code"] = dict()
ctr = 0
# Create IOC and category vars. We do this before processing the
# macro(s) to avoid overwriting data when there are multiple
# macros in a single file.
results["Macro"]["Analysis"] = dict()
results["Macro"]["Analysis"]["AutoExec"] = list()
results["Macro"]["Analysis"]["Suspicious"] = list()
results["Macro"]["Analysis"]["IOCs"] = list()
results["Macro"]["Analysis"]["HexStrings"] = list()
for (subfilename, stream_path, vba_filename,
vba_code) in vba.extract_macros():
vba_code = filter_vba(vba_code)
if vba_code.strip() != '':
# Handle all macros
ctr += 1
outputname = "Macro" + str(ctr)
results["Macro"]["Code"][outputname] = list()
results["Macro"]["Code"][outputname].append(
(convert_to_printable(vba_filename),
convert_to_printable(vba_code)))
autoexec = detect_autoexec(vba_code)
suspicious = detect_suspicious(vba_code)
iocs = vbadeobf.parse_macro(vba_code)
hex_strs = detect_hex_strings(vba_code)
if autoexec:
for keyword, description in autoexec:
results["Macro"]["Analysis"]["AutoExec"].append(
(keyword, description))
if suspicious:
for keyword, description in suspicious:
results["Macro"]["Analysis"]["Suspicious"].append(
(keyword, description))
if iocs:
for pattern, match in iocs:
results["Macro"]["Analysis"]["IOCs"].append(
(pattern, match))
if hex_strs:
for encoded, decoded in hex_strs:
results["Macro"]["Analysis"]["HexStrings"].append(
(encoded, decoded))
# Delete and keys which had no results. Otherwise we pollute the
# Django interface with null data.
if results["Macro"]["Analysis"]["AutoExec"] == []:
del results["Macro"]["Analysis"]["AutoExec"]
if results["Macro"]["Analysis"]["Suspicious"] == []:
del results["Macro"]["Analysis"]["Suspicious"]
if results["Macro"]["Analysis"]["IOCs"] == []:
del results["Macro"]["Analysis"]["IOCs"]
if results["Macro"]["Analysis"]["HexStrings"] == []:
del results["Macro"]["Analysis"]["HexStrings"]
else:
results["Metadata"]["HasMacros"] = "No"
oleid = OleID(filepath)
indicators = oleid.check()
for indicator in indicators:
if indicator.name == "Word Document" and indicator.value == True:
results["Metadata"]["DocumentType"] = indicator.name
if indicator.name == "Excel Workbook" and indicator.value == True:
results["Metadata"]["DocumentType"] = indicator.name
if indicator.name == "PowerPoint Presentation" and indicator.value == True:
results["Metadata"]["DocumentType"] = indicator.name
return results
