diff --git a/data/malicioustlds.txt b/data/malicioustlds.txt new file mode 100644 index 00000000..1a385a42 --- /dev/null +++ b/data/malicioustlds.txt @@ -0,0 +1,126 @@ +.link +.cam +.bar +.surf +.xyz +.click +.buzz +.gq +.ga +.rest +.ml +.cc +.cfd +.cyou +.accountant +.ar +.bg +.bid +.biz +.biz.ua +.br +.camera +.cf +.club +.co +.co.ua +.co.in +.co.mz +.co.nz +.com.au +.com.tw +.computer +.cricket +.date +.diet +.download +.email +.es +.faith +.gdn +.global +.guru +.help +.in +.info +.kz +.lol +.loan +.media +.men +.news +.ninja +.nyc +.party +.photography +.pt +.pw +.racing +.reise +.review +.rocks +.ru +.science +.site +.solutions +.space +.stream +.tech +.today +.top +.tr +.trade +.uno +.us +.vn +.webcam +.website +.win +.work +.africa +.autos +.best +.bet +.bio +.boats +.bond +.boston +.boutique +.center +.charity +.christmas +.coupons +.dance +.finance +.fishing +.giving +.hair +.haus +.homes +.icu +.kim +.lat +.llp +.loans +.love +.ltd +.mom +.motorcycles +.name +.okinawa +.promo +.rehab +.rugby +.run +.sale +.sew +.skin +.store +.sz +.tattoo +.tokyo +.voto +.wang +.wf +.yachts +.you \ No newline at end of file diff --git a/modules/signatures/all/pdf_annot_urls.py b/modules/signatures/all/pdf_annot_urls.py index 740e0370..5bd3e64f 100644 --- a/modules/signatures/all/pdf_annot_urls.py +++ b/modules/signatures/all/pdf_annot_urls.py @@ -16,36 +16,69 @@ from lib.cuckoo.common.abstracts import Signature -class PDF_Annot_URLs(Signature): - name = "pdf_annot_urls" - description = "The PDF contains a Link Annotation to a compressed archive or executable file" - severity = 3 +class PDF_Annot_URLs_Checker(Signature): + name = "pdf_annot_urls_checker" + description = "The PDF contains a Link Annotation" + severity = 2 # Default severity categories = ["static"] - authors = ["Optiv"] - minimum = "1.3" + authors = ["Wassime BATTA"] + minimum = "0.5" - filter_analysistypes = set(["file"]) + filter_analysistypes = set(["file","static"]) + + malicious_tlds_file = "/opt/CAPEv2/data/malicioustlds.txt" + + def __init__(self, *args, **kwargs): + super(PDF_Annot_URLs_Checker, self).__init__(*args, **kwargs) + self.malicious_tlds = self.load_malicious_tlds() + + def load_malicious_tlds(self): + malicious_tlds = set() + with open(self.malicious_tlds_file, "r") as f: + for line in f: + line = line.strip() + if line.startswith("."): + malicious_tlds.add(line) + return malicious_tlds def run(self): - found_URLs = False - if "static" in self.results and "pdf" in self.results["static"]: - if "PDF" in self.results["target"]["file"].get("type", ""): - if "Annot_URLs" in self.results["static"]["pdf"]: - for entry in self.results["static"]["pdf"]["Annot_URLs"]: - entrylower = entry.lower() - if entrylower.endswith( - (".zip", ".exe", ".msi", ".bat", ".scr", ".rar", ".com") - ) and not entrylower.startswith( - "mailto:" - ): # skip mailto: as it can't add attachments - skip = False - # skip triggering on http:// and https:// links that don't have anything after the domain name - # so http://foo.com will be skipped, but http://foo.com/malware.com will not be - if entrylower.startswith("http://") and not entrylower.find("/", 8): - skip = True - elif entrylower.startswith("https://") and not entrylower.find("/", 9): - skip = True - if skip: - self.data.append({"url": entry}) - found_URLs = True - return found_URLs + found_malicious_extension = False + found_malicious_domain = False + found_domain_only = False + suspect = False + + if "PDF" in self.results["target"]["file"].get("type", ""): + if "Annot_URLs" in self.results["target"]["file"]["pdf"]: + for entry in self.results["target"]["file"]["pdf"]["Annot_URLs"]: + entry_lower = entry.lower() + self.data.append({"url": entry}) + if entry_lower.endswith((".exe", ".php", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")) \ + and not entry_lower.startswith("mailto:"): + found_malicious_extension = True + + if entry_lower.startswith("http://") or entry_lower.startswith("https://"): + domain_start = entry_lower.find("//") + 2 + domain_end = entry_lower.find("/", domain_start) + if domain_end == -1: + domain = entry_lower[domain_start:] + else: + domain = entry_lower[domain_start:domain_end] + + for malicious_tld in self.malicious_tlds: + if domain.endswith(malicious_tld): + found_malicious_domain = True + break + else: + # If no malicious TLDs detected, set found_domain_only to True + found_domain_only = True + + if found_malicious_domain or found_malicious_extension: + self.severity = 6 + self.description = "The PDF contains a Malicious Link Annotation" + suspect = True + elif found_domain_only: + self.severity = 2 + self.description = "The PDF contains a Link Annotation" + suspect = True + + return suspect diff --git a/modules/signatures/windows/credential_dumping.py b/modules/signatures/windows/credential_dumping.py index 52e5db69..db1d397b 100644 --- a/modules/signatures/windows/credential_dumping.py +++ b/modules/signatures/windows/credential_dumping.py @@ -128,7 +128,9 @@ def run(self): if match: self.data.append({"regkey": match}) ret = True - + # Tweak + if "PDF" in self.results["target"]["file"].get("type", ""): + self.severity = 1 return ret