def process_text(body, origin_domain, sha):
extract_urls = ExtractURL(body, origin_domain, sha)
suspicious_urls = set(extract_urls.processing())
indicators = extract_urls.indicators
tok = Tokenizer(body, sha)
passwordlist = tok.processing()
return indicators, list(suspicious_urls), passwordlist
def process_attachement(attachment, detected_content_type, detected_file_name, origin_domain, passwordlist, sha):
indicators = 0
payload_results = []
suspicious_urls = set()
try:
mpart_attachment = mime.from_string(attachment)
if mpart_attachment.content_type.is_multipart():
for p in mpart_attachment.walk():
detected_content_type = str(p.detected_content_type)
filename = detected_file_name
ind, s_urls, payload_r = process_attachement(p.body, detected_content_type, filename, origin_domain, passwordlist, sha)
indicators += ind
suspicious_urls |= set(s_urls)
payload_results += payload_r
except DecodingError:
# Binary attachement
pass
extract_urls = ExtractURL(attachment, origin_domain, sha)
suspicious_urls |= set(extract_urls.processing())
indicators += extract_urls.indicators
content_type = detected_content_type
filename = detected_file_name
if filename is not None and len(filename) > 0:
passwordlist.append(filename)
prefix, suffix = os.path.splitext(filename)
passwordlist.append(prefix)
passwordlist = [i for i in passwordlist if len(i) > 1]
r_indicators, is_archive, r = process_payload(filename, attachment, content_type, origin_domain, passwordlist, sha)
r['filename'] = filename
r['content_type'] = content_type
indicators += r_indicators
payload_results.append(r)
return indicators, list(suspicious_urls), is_archive, payload_results
subject = msg.subject
passwordlist = ["password", "passw0rd", "infected", "qwerty", "malicious",
"archive", "zip"]
indicators = 0
examine_headers = ExamineHeaders(msg)
origin_ip, rbl_listed, rbl_comment, mailfrom, mailto, origin_domain = examine_headers.processing()
indicators += examine_headers.indicators
attachements = []
payload_results = []
suspicious_urls = set()
if msg.content_type.is_multipart():
for p in msg.walk():
extract_urls = ExtractURL(p.body, origin_domain)
suspicious_urls |= set(extract_urls.processing())
indicators += extract_urls.indicators
if p.is_body():
content = p.body
tok = Tokenizer(content)
passwordlist += tok.processing()
# TODO process that string
elif p.is_attachment() or p.is_inline():
content_type = p.detected_content_type
filename = p.detected_file_name
attachements.append((filename, content_type))
if filename is not None and len(filename) > 0:
passwordlist.append(filename)
prefix, suffix = os.path.splitext(filename)
passwordlist.append(prefix)
"zip"
]
indicators = 0
examine_headers = ExamineHeaders(msg)
origin_ip, rbl_listed, rbl_comment, mailfrom, mailto, origin_domain = examine_headers.processing(
)
indicators += examine_headers.indicators
attachements = []
payload_results = []
suspicious_urls = set()
if msg.content_type.is_multipart():
for p in msg.walk():
extract_urls = ExtractURL(p.body, origin_domain)
suspicious_urls |= set(extract_urls.processing())
indicators += extract_urls.indicators
if p.is_body():
content = p.body
tok = Tokenizer(content)
passwordlist += tok.processing()
# TODO process that string
elif p.is_attachment() or p.is_inline():
content_type = p.detected_content_type
filename = p.detected_file_name
attachements.append((filename, content_type))
if filename is not None and len(filename) > 0:
passwordlist.append(filename)
prefix, suffix = os.path.splitext(filename)
passwordlist.append(prefix)
