Docinfo oletools

api_app/analyzers_manager/file_analyzers/doc_info.py

@@ -11,8 +11,10 @@
 from re import sub
 from typing import Dict, List
 
+import olefile
 from defusedxml.ElementTree import fromstring
 from oletools import mraptor
+from oletools.common.clsid import KNOWN_CLSIDS
 from oletools.msodde import process_maybe_encrypted as msodde_process_maybe_encrypted
 from oletools.olevba import VBA_Parser
 
@@ -44,6 +46,9 @@ def config(self, runtime_configuration: Dict):
 
         self.passwords_to_check.extend(self.additional_passwords_to_check)
 
+    def update(self) -> bool:
+        pass
+
     def run(self):
         results = {}
 
@@ -119,6 +124,8 @@ def run(self):
                             analyze_macro_results.append(analyze_macro_result)
                     self.olevba_results["analyze_macro"] = analyze_macro_results
 
+                results["extracted_CVEs"] = self.analyze_for_cve()
+
         except CannotDecryptException as e:
             logger.info(e)
         except Exception as e:
@@ -168,6 +175,23 @@ def analyze_for_follina_cve(self) -> List[str]:
                         hits += re.findall(r"mhtml:(https?://.*?)!", target)
         return hits
 
+    def analyze_for_cve(self) -> List:
+        pattern = r"CVE-\d{4}-\d{4,7}"
+        results = []
+        ole = olefile.OleFileIO(self.filepath)
+        for entry in sorted(ole.listdir(storages=True)):
+            clsid = ole.getclsid(entry)
+            if clsid_text := KNOWN_CLSIDS.get(clsid.upper(), None):
+                if "cve" in clsid_text.lower():
+                    results.append(
+                        {
+                            "clsid": clsid,
+                            "info": clsid_text,
+                            "CVEs": list(re.findall(pattern, clsid_text)),
+                        }
+                    )
+        return results
+
     def analyze_msodde(self):
         try:
             msodde_result = msodde_process_maybe_encrypted(
@@ -212,12 +236,14 @@ def manage_encrypted_doc(self):
                 )
                 common_pwd_to_check.append(filename_without_extension)
                 self.passwords_to_check.extend(common_pwd_to_check)
-                decrypted_file_name = self.vbaparser.decrypt_file(
-                    self.passwords_to_check
+                decrypted_file_name, correct_password = self.vbaparser.decrypt_file(
+                    self.passwords_to_check,
                 )
                 self.olevba_results[
                     "additional_passwords_tried"
                 ] = self.passwords_to_check
+                if correct_password:
+                    self.olevba_results["correct_password"] = correct_password
                 if decrypted_file_name:
                     self.vbaparser = VBA_Parser(decrypted_file_name)
                 else:

requirements/project-requirements.txt

@@ -45,7 +45,7 @@ intezer-sdk==1.19.4
 lief==0.14.0
 maxminddb==2.5.1
 mwdblib==4.5.0
-oletools==0.60
+git+https://github.com/decalage2/oletools.git@ccf99d1a8f85e552f5cc130fbaa504cfe5725a92
 OTXv2==1.5.12
 peepdf-fork==0.4.3
 pdfid==1.1.0