more automation

[garanews]

I have 3 cases (coming from emails received) where need more automation (from easy to hard): 1) URL that points to malicious document. If I submit the URL at the moment document is downloaded but not opened. 2) document (PDF, but probably soon will happen also with office documents) that contains a malicous URL. If I submit the document at the moment document is opened but URL not clicked 3) email with office document password protected and the password is contained in the email's body :)

[doomedraven]

1. case you can just write package to download and execute with start as in generic package

[garanews]

for point 3 the https://github.com/spender-sandbox/cuckoo-modified/issues/414 is ok, so is possible remove the password through command line. But these documents, when open look like

someone has to press the buttons, any idea? :)

[garanews]

If I try to execute the docx and press manually over the objects, in the dropped files I find Document.Part12233736 .vbs aa641ee659d1d688fd2904b7d1796dfc https://www.virustotal.com/en/file/a41a91dbeb389503ba0d194ad96d06a8549ba2ddb81b7d89db774ba08f2a4895/analysis/ that looks like If I unzip the docx I get and all the 4 oleObjects have hash 97b3046d3dc52a1f8b871fbb3d2ae491 https://virustotal.com/it/file/4a4ec1e972044d975684168ecfece3bee6046e897591510b78265cc7f004b4a0/analysis/ and look like

So it seems that extracting oles from docx with unzip is not generating the same result than double clicking over the objects in word.

[doomedraven]

macro can decode some objects before drop them to system