Awesome
Generic Parser for Analyzing Malware Files to Detect Suspicious Behaviour.
A Single Library Parser to extract meta information,static analysis and detect macros within the files.
Usage:
PreRequsite
- Clone the Repo
- Create a virutalenv
virtualenv pyenv
- Install the requirements.
pip install -r requirements.txt
Script Usage
(pyenv) admin@cuckoo:~/generic-parser$ python app.py -h
usage: app.py [-h] -f PATH [-s STORE] -y YARA -e EXTRACT [--version]
optional arguments:
-h, --help show this help message and exit
-f PATH, --path PATH File Absolute Path
-s STORE, --store STORE
Store to DB
-y YARA, --yara YARA Apply Yara Matcher
-e EXTRACT, --extract EXTRACT
Extract Features
--version show program's version number and exit
- PATH : This should point to the path of the malware file which you want to analyze.
- STORE : Enable this flag if you want to store in a database.
- YARA : Enable this flag to apply yara to match for suspicious indicators in the file.
- version : Shows the version of the tool.
Features:
- Ability to Identify the Decomposition module selected based on the mime-type.
- Apply PDF based decomposition to extract features from the pdf file.
- Apply Office based decomposition to extract features of office files.
- Web Based files are decomposed to get interesting strings etc.
- Yara is applied on the entire file to get interesting matches which can help in identifying suspicious behaviour.
Sample UseCases
- Please refer to USECASES