Open garanews opened 7 years ago
for point 3 the https://github.com/spender-sandbox/cuckoo-modified/issues/414 is ok, so is possible remove the password through command line. But these documents, when open look like
someone has to press the buttons, any idea? :)
If I try to execute the docx and press manually over the objects, in the dropped files I find Document.Part12233736 .vbs aa641ee659d1d688fd2904b7d1796dfc https://www.virustotal.com/en/file/a41a91dbeb389503ba0d194ad96d06a8549ba2ddb81b7d89db774ba08f2a4895/analysis/ that looks like If I unzip the docx I get and all the 4 oleObjects have hash 97b3046d3dc52a1f8b871fbb3d2ae491 https://virustotal.com/it/file/4a4ec1e972044d975684168ecfece3bee6046e897591510b78265cc7f004b4a0/analysis/ and look like
So it seems that extracting oles from docx with unzip is not generating the same result than double clicking over the objects in word.
macro can decode some objects before drop them to system
I have 3 cases (coming from emails received) where need more automation (from easy to hard): 1) URL that points to malicious document. If I submit the URL at the moment document is downloaded but not opened. 2) document (PDF, but probably soon will happen also with office documents) that contains a malicous URL. If I submit the document at the moment document is opened but URL not clicked 3) email with office document password protected and the password is contained in the email's body :)