Open mallorybobalice opened 7 years ago
@mallorybobalice Cuckoo uses Oletools to extract olefiles within documents, and, maybe I'm wrong,but probably we should look at here (https://github.com/decalage2/oletools) to see if anyone else got the same issues. https://github.com/decalage2/olefile/issues/10
It doesn't, that doesn't exist in this repo. (Anyone can add it though)
-Brad
yes Brad, sorry I meant Olefile...
With the full version of oletools it's possible to extract the malicious file inside a doc (not only macros). @spender-sandbox , I'm not so confident in python but with a collegue we'll try to include oleobj as a cuckoo's module and use the resubmitexe to automatic submit the js or other files found inside a document. I'll keep u updated and if u agree I'll post a PR. regards
can someone please give a summary how/where handling each case is in cuckoo modified for now:
a) demuxing attachments out of msg files -sflock, native, utils/submit.py? (dyi/PR?) b) demuxing embedded docs excel etc files out of other office files - 2003,2007 format c) what is the current status for trying to analyze ole embeds (human.py can't help, clicks on text labels afaik) d) any thoughts on tracking demuxing and related tasks/original sample as tasks/related fields? (I know it's pre submission but um)
-Brad mentioned something about resubmitexe https://github.com/spender-sandbox/cuckoo-modified/blob/47e84be8a97b8414870ff816e04a0bf9bad1b751/modules/reporting/resubmitexe.py but none of items in question are in dropped files so it doesn't seem like it'd help. or is my version of code base too old (4 months) . besides resubmit says pe only in the ifs :\
thanks. ps this is all trying to get a sense from
364#issues
202#issues
339 #issues
386#issues