def test_pdf_metadata(self): set_cwd(tempfile.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf-sample.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf-sample.pdf" obj = s.run()["pdf"] assert len(obj) == 2 assert obj[1] == { "author": "cdaily", "creation": "D:20000629102108+11'00'", "creator": "Microsoft Word 8.0", "javascript": [], "modification": "2013-10-28T15:24:13-04:00", "producer": "Acrobat Distiller 4.0 for Windows", "subject": "", "title": "This is a test PDF file", "urls": [], "version": 1, }
def test_lnk1(self): s = Static() s.set_task({ "category": "file", "package": "lnk", "target": "lnk_1.lnk", }) s.file_path = "tests/files/lnk_1.lnk" obj = s.run()["lnk"] assert obj[ "basepath"] == "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" assert obj["flags"] == { "cmdline": True, "description": True, "icon": True, "references": True, "relapath": True, "shellidlist": True, "workingdir": False, } assert obj["description"] == "windows photo viewer" assert "shell32.dll" in obj["icon"] assert "powershell.exe" in obj["relapath"] assert "-NoProfile" in obj["cmdline"] assert "eABlACIA" in obj["cmdline"]
def test_lnk2(self): s = Static() s.set_task({ "category": "file", "package": "generic", "target": "lnk_2.lnk", }) s.file_path = "tests/files/lnk_2.lnk" assert "elf" not in s.run()
def test_office(self): s = Static() s.set_task({ "category": "file", "package": "doc", "target": "createproc1.docm", }) s.file_path = "tests/files/createproc1.docm" r = s.run()["office"] assert "ThisDocument" in r["macros"][0]["orig_code"] assert "Sub AutoOpen" in r["macros"][1]["orig_code"] assert 'process.Create("notepad.exe"' in r["macros"][1]["orig_code"]
def test_phishing0_pdf(self): set_cwd(tempfile.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "phishing0.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/phishing0.pdf" assert "googleattachmentsigned" in s.run()["pdf"][0]["urls"][0]
def init(package, *filename): id_ = task_id() init_analysis(id_, package, *filename) init_yara() s = Static() s.set_task({ "id": id_, "category": "file", "package": package, "target": filename[-1], }) s.file_path = cwd("binary", analysis=id_) e = ExtractManager.for_task(id_) return s.run(), e.results()
def test_pdf_stringjs(self): set_cwd(self.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf1-stringjs.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf1-stringjs.pdf" r = s.run()["pdf"][12] assert "app.alert({" in r["javascript"][0]["orig_code"]
def test_pdf(self): set_cwd(tempfile.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf0.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf0.pdf" r = s.run()["pdf"][0] assert "var x = unescape" in r["javascript"][0]["orig_code"]
def test_archive_pdf(self): set_cwd(tempfile.mkdtemp()) s = Static() s.set_task({ "category": "archive", "package": "pdf", "options": { "filename": "files/pdf0.pdf", }, }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf0.zip" assert "%48%65" in s.run()["pdf"][0]["javascript"][0]["orig_code"]
def test_pdf_workercrash(self, md): set_cwd(self.mkdtemp()) md.return_value = None s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf0.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf0.pdf" r = s.run() assert r["pdf"] == []
def test_pdf_ignorefake(self): set_cwd(self.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "fakepdf.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/fakepdf.pdf" assert s.run() == { "pdf": [], }
def test_pdf_endian(self): s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf-endianerror.pdf" }) s.file_path = "tests/files/pdf-endianerror.pdf" s.set_options({ "pdf_timeout": 30, }) r = s.run() assert len(r["pdf"][0]["urls"]) == 63 assert r["pdf"][0]["urls"][54] == ( u"http://yourmirror.net/kali-security\u548c" u"http://yourmirror.net/kali-images" )
def test_summary_office2(self, p, request): s = Static() s.set_task({ "category": "file", "package": "doc", "target": "createproc1.docm", }) s.file_path = "tests/files/createproc1.docm" p._get_report.return_value = { "static": s.run(), } r = AnalysisRoutes.detail(request, 1, "static").content assert "ThisDocument" in r assert "Sub AutoOpen" in r assert "process.Create" in r assert "notepad.exe" in r
def test_pdf_mock(self, p): set_cwd(tempfile.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf0.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf0.pdf" p.return_value = ["hello"] assert s.run()["pdf"] == ["hello"] p.assert_called_once_with(mock.ANY, ("tests/files/pdf0.pdf", ), timeout=30)
def test_summary_pdf_nometadata(self, p, request): s = Static() s.set_task({ "category": "file", "package": "pdf", "target": __file__, }) s.set_options({ "pdf_timeout": 10, }) s.file_path = __file__ p._get_report.return_value = { "static": s.run(), } r = AnalysisRoutes.detail(request, 1, "static").content assert "No PDF metadata could be extracted!" in r
def test_summary_pdf_metadata(self, p, request): s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf-sample.pdf", }) s.set_options({ "pdf_timeout": 10, }) s.file_path = "tests/files/pdf-sample.pdf" p._get_report.return_value = { "static": s.run(), } r = AnalysisRoutes.detail(request, 1, "static").content assert "Microsoft Word 8.0" in r assert "This is a test PDF file" in r
def test_pdf_attach(self): set_cwd(tempfile.mkdtemp()) s = Static() s.set_task({ "category": "file", "package": "pdf", "target": "pdf_attach.pdf", }) s.set_options({ "pdf_timeout": 30, }) s.file_path = "tests/files/pdf_attach.pdf" obj, = s.run()["pdf"] assert len(obj["javascript"]) == 1 assert "exportDataObject" in obj["javascript"][0]["orig_code"] assert len(obj["attachments"]) == 1 assert obj["attachments"][0]["filename"] == "789IVIIUXSF110.docm" assert "kkkllsslll" in obj["openaction"]
def test_lnk2(self): s = Static() s.set_task({ "category": "file", "package": "lnk", "target": "lnk_2.lnk", }) s.file_path = "tests/files/lnk_2.lnk" obj = s.run()["lnk"] assert obj["basepath"] == "C:\\Windows\\System32\\cmd.exe" assert obj["flags"] == { "cmdline": True, "description": True, "icon": True, "references": True, "relapath": True, "shellidlist": True, "workingdir": True, } assert "digitale" in obj["description"] assert obj["icon"] == "C:\\Windows\\System32\\write.exe" assert "cmd.exe" in obj["relapath"] assert "bitsadmin.exe" in obj["cmdline"] assert "/transfer" in obj["cmdline"]
def test_push_script_recursive(): set_cwd(tempfile.mkdtemp()) cuckoo_create() mkdir(cwd(analysis=1)) open(cwd("yara", "office", "ole.yar"), "wb").write(""" rule OleInside { strings: $s1 = "Win32_Process" condition: filename matches /word\/vbaProject.bin/ and $s1 } """) init_yara() s = Static() s.file_path = "tests/files/createproc1.docm" s.set_task({ "id": 1, "category": "file", "target": s.file_path, "package": "doc", }) s.run() assert ExtractManager.for_task(1).results()[0]["yara"] == [{ "name": "OleInside", "meta": { "description": "(no description)", }, "offsets": { "s1": [ (3933, 0), ], }, "strings": [ "Win32_Process".encode("base64").strip(), ], }]
def test_static_none(self): s = Static() s.set_task({ "category": "none", }) assert s.run() is None