embedded docs, mal oles and msg files?

[mallorybobalice]

can someone please give a summary how/where handling each case is in cuckoo modified for now:

a) demuxing attachments out of msg files -sflock, native, utils/submit.py? (dyi/PR?) b) demuxing embedded docs excel etc files out of other office files - 2003,2007 format c) what is the current status for trying to analyze ole embeds (human.py can't help, clicks on text labels afaik) d) any thoughts on tracking demuxing and related tasks/original sample as tasks/related fields? (I know it's pre submission but um)

-Brad mentioned something about resubmitexe https://github.com/spender-sandbox/cuckoo-modified/blob/47e84be8a97b8414870ff816e04a0bf9bad1b751/modules/reporting/resubmitexe.py but none of items in question are in dropped files so it doesn't seem like it'd help. or is my version of code base too old (4 months) . besides resubmit says pe only in the ifs :\

thanks. ps this is all trying to get a sense from

364#issues

202#issues

339 #issues

386#issues

[Nwinternights]

@mallorybobalice Cuckoo uses Oletools to extract olefiles within documents, and, maybe I'm wrong,but probably we should look at here (https://github.com/decalage2/oletools) to see if anyone else got the same issues. https://github.com/decalage2/olefile/issues/10

[spender-sandbox]

It doesn't, that doesn't exist in this repo. (Anyone can add it though)

-Brad

[Nwinternights]

yes Brad, sorry I meant Olefile...

[Nwinternights]

With the full version of oletools it's possible to extract the malicious file inside a doc (not only macros). @spender-sandbox , I'm not so confident in python but with a collegue we'll try to include oleobj as a cuckoo's module and use the resubmitexe to automatic submit the js or other files found inside a document. I'll keep u updated and if u agree I'll post a PR. regards