doomedraven
commented
1 year ago all those pdfs modules are dead and obsolete
Closed SuvakSamuel closed 1 year ago
doomedraven
commented
1 year ago all those pdfs modules are dead and obsolete
SuvakSamuel
commented
1 year ago I'm not sure if I understand what you mean, you're saying that I just shouldn't bother with peepdf and remove it along with pylibemu and stpyv8 from my install? Do you have any recommendations for any other libraries or anything that might help with analyzing pdfs using CAPE?
doomedraven
commented
1 year ago Yes, in case if you wont dig into code and update the code. No im not aware of any decente nowaday
El mié, 7 jun 2023, 10:54, SuvakSamuel @.***> escribió:
I'm not sure if I understand what you mean, you're saying that I just shouldn't bother with peepdf and remove it along with pylibemu and stpyv8 from my install? Do you have any recommendations for any other libraries or anything that might help with analyzing pdfs using CAPE?
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1582#issuecomment-1580233823, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH3ZAN35EBV7DWHXO2ULXKA6U5ANCNFSM6AAAAAAY4S5O7A . You are receiving this because you commented.Message ID: @.***>
SuvakSamuel
commented
1 year ago Okay, so I ran poetry remove on everything related to peepdf, reloaded the processor and ran analyses on two samples which had this issue. Thankfully both of them now show the File Details section. Might dig into the peepdf code in the future, gotta wrap up my bachelor thesis first (: Before I close this issue, if I have any questions regarding CAPE or if I want to ask if I set up something correctly and all that kind of stuff that isn't really an issue with CAPE, should I send an email to someone or how should I proceed?
doomedraven
commented
1 year ago you can ask it here, everyone who is watching repo will see it, and if they want they will respond
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
(couple of commits behind the latest commit as I set up my instance 3 days ago, none of the newer ones as of submitting of this issue address this)
Expected Behavior
I'm expecting that the main processing module CAPE does not error out completely when analyzing a malware sample and that the File Details section shows up like here
Current Behavior
But it does error out, and File Details are missing
Failure Information (for bugs)
When processing analysis results of a .pdf file I got from MalwareBazaar (https://bazaar.abuse.ch/sample/293ad4950baf9f25ff33af94191618aab9a25e9e9ec7ab84861509348121122f/), the processing module CAPE encounters an exception, and as a result, the File Details section (which I assume includes static analysis results) is missing.
Steps to Reproduce
Just submit the pdf for analysis and wait for the results to show up.
Context
I assume the problem is with analyzing JavaScript, as the process log of the analysis mentions it. I don't have an account on capesandbox.com so I couldn't test the sample on the public instance, though I did find one analysis which also has File Details missing https://www.capesandbox.com/analysis/391162/
I did try to install peepdf on my instance as well, since it is mentioned as an optional dependency, and it also seemed like a good idea to have it for analyzing .pdf files. I am however unsure if I even installed it correctly. I tried to follow the instructions here https://github.com/CAPESandbox/peepdf but the setup.py files errored out on me, and since CAPE now uses Poetry, I figured I'd add the dependencies using Poetry
First I added the peepdf dependency using poetry (in /opt/CAPEv2/ as the user "cape")
poetry add https://github.com/CAPESandbox/peepdf/archive/20eda78d7d77fc5b3b652ffc2d8a5b0af796e3dd.zip#egg=peepdf==0.4.2
Then I cloned the stpyv8 library, copied the directory to /opt/CAPEv2 and added it to CAPE
sudo cp -r stpyv8-ubuntu-22.04-3.10 /opt/CAPEv2 (ran this command in a different directory as the user "user") poetry add stpyv8-ubuntu-22.04-3.10/stpyv8-11.2.214.9-cp310-cp310-linux_x86_64.whl (ran this command as the user "cape")
And lastly I installed libemu (ran the first two commands as "user") on the system so I could then add the pylibemu dependency (as "cape")
wget http://archive.ubuntu.com/ubuntu/pool/universe/libe/libemu/libemu2_0.2.0+git20120122-1.2build1_amd64.deb http://archive.ubuntu.com/ubuntu/pool/universe/libe/libemu/libemu-dev_0.2.0+git20120122-1.2build1_amd64.deb sudo apt install ./libemu2_0.2.0+git20120122-1.2build1_amd64.deb ./libemu-dev_0.2.0+git20120122-1.2build1_amd64.deb
poetry add pylibemu
I'm not sure if this was the way to install peepdf and all its dependencies, so the issue is either in my setup, or something's wrong with the CAPE processing module, and I'm not that skilled yet to go and debug the issue there. Any ideas where lies the issue, or even recommendations on how to analyze .pdf files using CAPE?
Failure Logs
analysis log to show that nothing went wrong during the analysis
analysis.log
process log of the analysis of the sample used
process-8.log
pyproject.toml where all Poetry dependencies used are listed since I tried to install peepdf
pyproject.txt