intelowlproject · mlodic · Mar 4, 2024 · Feb 13, 2024 · Feb 13, 2024 · Feb 14, 2024
diff --git a/api_app/analyzers_manager/file_analyzers/doc_info.py b/api_app/analyzers_manager/file_analyzers/doc_info.py
@@ -11,13 +11,15 @@
 from re import sub
 from typing import Dict, List
 
+import olefile
 from defusedxml.ElementTree import fromstring
-from oletools import mraptor
-from oletools.msodde import process_maybe_encrypted as msodde_process_maybe_encrypted
-from oletools.olevba import VBA_Parser
 
 from api_app.analyzers_manager.classes import FileAnalyzer
 from api_app.analyzers_manager.models import MimeTypes
+from oletools import mraptor
+from oletools.common.clsid import KNOWN_CLSIDS
+from oletools.msodde import process_maybe_encrypted as msodde_process_maybe_encrypted
+from oletools.olevba import VBA_Parser
 
 logger = logging.getLogger(__name__)
 
@@ -119,6 +121,8 @@ def run(self):
                             analyze_macro_results.append(analyze_macro_result)
                     self.olevba_results["analyze_macro"] = analyze_macro_results
 
+                results["cve"] = self.analyze_for_cve()
+
         except CannotDecryptException as e:
             logger.info(e)
         except Exception as e:
@@ -168,6 +172,25 @@ def analyze_for_follina_cve(self) -> List[str]:
                         hits += re.findall(r"mhtml:(https?://.*?)!", target)
         return hits
 
+    def analyze_for_cve(self) -> Dict:
+        pattern = r"CVE-\d{4}-\d{4,7}"
+        cve = {}
+        ole = olefile.OleFileIO(self.filepath)
+        for entry in sorted(ole.listdir(storages=True)):
+            clsid = ole.getclsid(entry)
+            if clsid_text := KNOWN_CLSIDS.get(clsid.upper(), None):
+                if matches := re.findall(pattern, clsid_text):
+                    for match in matches:
+                        if match in cve:
+                            if clsid in cve[match]:
+                                cve[match][clsid].append(clsid_text)
+                                cve[match][clsid] = list(set(cve[match][clsid]))  # uniq
+                            else:
+                                cve[match][clsid] = [clsid_text]
+                        else:
+                            cve[match] = {clsid: [clsid_text]}
+        return cve
+
     def analyze_msodde(self):
         try:
             msodde_result = msodde_process_maybe_encrypted(
@@ -212,12 +235,14 @@ def manage_encrypted_doc(self):
                 )
                 common_pwd_to_check.append(filename_without_extension)
                 self.passwords_to_check.extend(common_pwd_to_check)
-                decrypted_file_name = self.vbaparser.decrypt_file(
-                    self.passwords_to_check
+                decrypted_file_name, correct_password = self.vbaparser.decrypt_file(
+                    self.passwords_to_check,
                 )
                 self.olevba_results[
                     "additional_passwords_tried"
                 ] = self.passwords_to_check
+                if correct_password:
+                    self.olevba_results["correct_password"] = correct_password
                 if decrypted_file_name:
                     self.vbaparser = VBA_Parser(decrypted_file_name)
                 else: