c-rosenberg
commented
5 years ago Hey, thanks for your suggestions. This initial implementation was a quick shot while the Emotet wave last December. We have started using mraptor, but found olevba is returning more details . We have added an extended mode to Rspamd to be able to add symbols to any reported macro function. So you are able to just take action to e.g. Workbook_Open and Shell combinations. We gave the direct integration a quick try, but was faster to use the json output of the command line tools.
Nevertheless, we are currently thinking about to move to persistent http connection on the Rspamd side, so we maybe reimplement the complete script and use oletools directly.
Thanks for your great work.
jonmoesli
Hi, I see that olefy is calling olevba as an external script, and capturing its output + exit code. I think this is error prone and may lead to issues if we change the display or behaviour of olevba.
I would advise to import olevba and to use its python API instead: https://github.com/decalage2/oletools/wiki/olevba#how-to-use-olevba-in-python-applications
Moreover, olevba is meant for malware analysts to look at the details of a file when they know it's suspicious or malicious. If your goal is to decide (automatically) if a file is innocuous or suspicious, I would suggest to try mraptor instead. It is built on top of olevba, but applies a simple algorithm to detect suspicious keywords, and returns a clear result: https://github.com/decalage2/oletools/wiki/mraptor
For example, it is used in the project MacroMilter for sendmail/postfix: https://github.com/sbidy/MacroMilter
I have not yet documented the mraptor API, so for now you need to look at the code. But it's not a complex API.