private static void SaveOutput(ContentAnalysis cAnalysis, string macroFile, string sScore)
{
bool outFileExists = File.Exists(outFile);
using (StreamWriter outWriter = new StreamWriter(outFile, true))
{
if (!outFileExists)
{
outWriter.WriteLine("Document_Name,Macro_Detected,Macro_AutoExec,Macro_Suspicious_Keywords,Macro_IOCs," +
"Macro_Hex_Encoding,Macro_Base64_Encoding,Macro_Dridex_Encoding,Macro_VBAString_Encoding," +
"Macro_mraptor_flags,Macro_mraptor_suspicious,Error_Flag,Suspicion_Score");
}
outWriter.Write(macroFile + ",");
outWriter.Write(cAnalysis.olevbaMacro + ",");
outWriter.Write(cAnalysis.olevbaAutoExecutable + ",");
outWriter.Write(cAnalysis.olevbaSuspiciousKeywords + ",");
outWriter.Write(cAnalysis.olevbaIOCs + ",");
outWriter.Write(cAnalysis.olevbaHexStrings + ",");
outWriter.Write(cAnalysis.olevbaBase64Strings + ",");
outWriter.Write(cAnalysis.olevbaDridexStrings + ",");
outWriter.Write(cAnalysis.olevbaVbaStrings + ",");
outWriter.Write(cAnalysis.mraptorFlags + ",");
outWriter.Write(cAnalysis.mraptorSuspicious + ",");
outWriter.Write(cAnalysis.errorFlag + ",");
outWriter.WriteLine(sScore);
}
}
private static void PerformAnalysis(string oleFile, bool verbose)
{
try
{
ContentDetection contentDetection = new ContentDetection();
if (contentDetection.DetectOLEContent(oleFile))
{
ContentAnalysis contentAnalysis = new ContentAnalysis();
contentAnalysis.ScanOLEContent(oleFile);
SuspicionScoring suspicionScore = new SuspicionScoring();
string sScore = suspicionScore.SuspicionAnalysis(contentAnalysis).ToString("#0.##%");
if (verbose)
{
VerboseMessage(contentAnalysis, oleFile, sScore);
}
else
{
Console.WriteLine("Scan Errors: " + contentAnalysis.errorFlag + " Suspicion Score: " + sScore);
}
if (outFile != "")
{
SaveOutput(contentAnalysis, oleFile, sScore);
}
}
else
{
Console.WriteLine("No VBA Contents");
}
}
catch
{
Console.WriteLine("An error occured scanning this file");
}
}
private static void VerboseMessage(ContentAnalysis contentAnalysis, string oleFile, string sScore)
{
Console.WriteLine("Suspicion Score: " + sScore);
Console.WriteLine("\n--- mraptor Output ---\n");
Console.WriteLine(contentAnalysis.fullmraptorOutput);
Console.WriteLine("\n--- olevba Output ---\n");
Console.WriteLine(contentAnalysis.fullolevbaOutput);
Console.WriteLine("------------------------------------------------------------------------------------------");
Console.WriteLine("------------------------------------------------------------------------------------------");
}
public double SuspicionAnalysis(ContentAnalysis cAnalysis)
{
double suspicionScore;
if (cAnalysis.olevbaAutoExecutable)
{
olevbaAutoExecutableScore = 0.1;
}
if (cAnalysis.olevbaSuspiciousKeywords)
{
olevbaSuspiciousKeywordsScore = 0.25;
}
if (cAnalysis.olevbaIOCs)
{
olevbaIOCsScore = 0.25;
}
if (cAnalysis.olevbaHexStrings || cAnalysis.olevbaBase64Strings || cAnalysis.olevbaDridexStrings || cAnalysis.olevbaDridexStrings || cAnalysis.olevbaVbaStrings)
{
olevbaEncodedStringScore = 0.15;
}
//if (cAnalysis.olevbaBase64Strings) { olevbaBase64StringsScore = 0.15; }
//if (cAnalysis.olevbaDridexStrings) { olevbaDridexStringsScore = 0.15; }
//if (cAnalysis.olevbaVbaStrings) { olevbaVbaStringsScore = 0.15; }
if (cAnalysis.mraptorSuspicious)
{
mraptorSuspiciousScore = 0.4;
}
//suspicionScore = olevbaAutoExecutableScore + olevbaSuspiciousKeywordsScore + olevbaIOCsScore + olevbaHexStringsScore
// + olevbaBase64StringsScore + olevbaDridexStringsScore + olevbaVbaStringsScore + mraptorSuspiciousScore;
suspicionScore = olevbaAutoExecutableScore + olevbaSuspiciousKeywordsScore + olevbaIOCsScore + olevbaEncodedStringScore + mraptorSuspiciousScore;
if (suspicionScore > 1 || cAnalysis.errorFlag)
{
suspicionScore = 1;
}
return(suspicionScore);
}