Beispiel #1
0
        private static void SaveOutput(ContentAnalysis cAnalysis, string macroFile, string sScore)
        {
            bool outFileExists = File.Exists(outFile);

            using (StreamWriter outWriter = new StreamWriter(outFile, true))
            {
                if (!outFileExists)
                {
                    outWriter.WriteLine("Document_Name,Macro_Detected,Macro_AutoExec,Macro_Suspicious_Keywords,Macro_IOCs," +
                                        "Macro_Hex_Encoding,Macro_Base64_Encoding,Macro_Dridex_Encoding,Macro_VBAString_Encoding," +
                                        "Macro_mraptor_flags,Macro_mraptor_suspicious,Error_Flag,Suspicion_Score");
                }
                outWriter.Write(macroFile + ",");
                outWriter.Write(cAnalysis.olevbaMacro + ",");
                outWriter.Write(cAnalysis.olevbaAutoExecutable + ",");
                outWriter.Write(cAnalysis.olevbaSuspiciousKeywords + ",");
                outWriter.Write(cAnalysis.olevbaIOCs + ",");
                outWriter.Write(cAnalysis.olevbaHexStrings + ",");
                outWriter.Write(cAnalysis.olevbaBase64Strings + ",");
                outWriter.Write(cAnalysis.olevbaDridexStrings + ",");
                outWriter.Write(cAnalysis.olevbaVbaStrings + ",");
                outWriter.Write(cAnalysis.mraptorFlags + ",");
                outWriter.Write(cAnalysis.mraptorSuspicious + ",");
                outWriter.Write(cAnalysis.errorFlag + ",");
                outWriter.WriteLine(sScore);
            }
        }
Beispiel #2
0
 private static void PerformAnalysis(string oleFile, bool verbose)
 {
     try
     {
         ContentDetection contentDetection = new ContentDetection();
         if (contentDetection.DetectOLEContent(oleFile))
         {
             ContentAnalysis contentAnalysis = new ContentAnalysis();
             contentAnalysis.ScanOLEContent(oleFile);
             SuspicionScoring suspicionScore = new SuspicionScoring();
             string           sScore         = suspicionScore.SuspicionAnalysis(contentAnalysis).ToString("#0.##%");
             if (verbose)
             {
                 VerboseMessage(contentAnalysis, oleFile, sScore);
             }
             else
             {
                 Console.WriteLine("Scan Errors: " + contentAnalysis.errorFlag + "   Suspicion Score: " + sScore);
             }
             if (outFile != "")
             {
                 SaveOutput(contentAnalysis, oleFile, sScore);
             }
         }
         else
         {
             Console.WriteLine("No VBA Contents");
         }
     }
     catch
     {
         Console.WriteLine("An error occured scanning this file");
     }
 }
Beispiel #3
0
 private static void VerboseMessage(ContentAnalysis contentAnalysis, string oleFile, string sScore)
 {
     Console.WriteLine("Suspicion Score: " + sScore);
     Console.WriteLine("\n--- mraptor Output ---\n");
     Console.WriteLine(contentAnalysis.fullmraptorOutput);
     Console.WriteLine("\n--- olevba Output ---\n");
     Console.WriteLine(contentAnalysis.fullolevbaOutput);
     Console.WriteLine("------------------------------------------------------------------------------------------");
     Console.WriteLine("------------------------------------------------------------------------------------------");
 }
Beispiel #4
0
        public double SuspicionAnalysis(ContentAnalysis cAnalysis)
        {
            double suspicionScore;

            if (cAnalysis.olevbaAutoExecutable)
            {
                olevbaAutoExecutableScore = 0.1;
            }
            if (cAnalysis.olevbaSuspiciousKeywords)
            {
                olevbaSuspiciousKeywordsScore = 0.25;
            }
            if (cAnalysis.olevbaIOCs)
            {
                olevbaIOCsScore = 0.25;
            }
            if (cAnalysis.olevbaHexStrings || cAnalysis.olevbaBase64Strings || cAnalysis.olevbaDridexStrings || cAnalysis.olevbaDridexStrings || cAnalysis.olevbaVbaStrings)
            {
                olevbaEncodedStringScore = 0.15;
            }
            //if (cAnalysis.olevbaBase64Strings) { olevbaBase64StringsScore = 0.15; }
            //if (cAnalysis.olevbaDridexStrings) { olevbaDridexStringsScore = 0.15; }
            //if (cAnalysis.olevbaVbaStrings) { olevbaVbaStringsScore = 0.15; }
            if (cAnalysis.mraptorSuspicious)
            {
                mraptorSuspiciousScore = 0.4;
            }

            //suspicionScore = olevbaAutoExecutableScore + olevbaSuspiciousKeywordsScore + olevbaIOCsScore + olevbaHexStringsScore
            //    + olevbaBase64StringsScore + olevbaDridexStringsScore + olevbaVbaStringsScore + mraptorSuspiciousScore;
            suspicionScore = olevbaAutoExecutableScore + olevbaSuspiciousKeywordsScore + olevbaIOCsScore + olevbaEncodedStringScore + mraptorSuspiciousScore;

            if (suspicionScore > 1 || cAnalysis.errorFlag)
            {
                suspicionScore = 1;
            }

            return(suspicionScore);
        }