{"id":13705994,"url":"https://github.com/lprat/static_file_analysis","last_synced_at":"2026-01-16T19:21:25.874Z","repository":{"id":110262079,"uuid":"99939524","full_name":"lprat/static_file_analysis","owner":"lprat","description":"Analysis of file (doc, pdf, exe, ...) in deep (emmbedded file(s)) with clamscan and yara rules","archived":false,"fork":false,"pushed_at":"2023-09-06T10:01:06.000Z","size":9708,"stargazers_count":49,"open_issues_count":1,"forks_count":11,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-11-13T13:39:24.972Z","etag":null,"topics":["analysis","clamav","defensive-security","docker","malware-analysis","security","security-tools","sigma","static-analysis","yara","yara-rules"],"latest_commit_sha":null,"homepage":null,"language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lprat.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-08-10T15:44:12.000Z","updated_at":"2024-09-21T12:38:49.000Z","dependencies_parsed_at":"2024-01-07T09:40:02.836Z","dependency_job_id":"5e98f3f0-c1c1-408c-81f3-b7bfd0bb9248","html_url":"https://github.com/lprat/static_file_analysis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lprat%2Fstatic_file_analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lprat%2Fstatic_file_analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lprat%2Fstatic_file_analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lprat%2Fstatic_file_analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lprat","download_url":"https://codeload.github.com/lprat/static_file_analysis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252542252,"owners_count":21764934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","clamav","defensive-security","docker","malware-analysis","security","security-tools","sigma","static-analysis","yara","yara-rules"],"created_at":"2024-08-02T22:00:51.008Z","updated_at":"2026-01-16T19:21:25.851Z","avatar_url":"https://github.com/lprat.png","language":"YARA","funding_links":[],"categories":["Tools"],"sub_categories":[],"readme":"# Static analysis malicious files\n*Analysis malicious files in deep with clamscan and yara rules.*\n\nThis tool written in python langage makes the link between clam and yara. It can help you to score suspect file, can build visual tree graph for fast display embeded files (parent type, type, suspect or dangerous content), and can compute indicator of compromission. It uses clamav in order to extract embeded files and make json tree, then it sends all embbeded files to yara with context (in externs variables) in order to check rules. If a rules matched, it gives score of this rule. The max rule score is added to top of tree, you can add globale score that use all score found for make coefficient score. Extra feature, the tool can extract specific pattern (URL, HOST, IP, ...).\n\n## Features\n- Easy to use: [docker pull lprat/sfa](https://hub.docker.com/r/lprat/sfa)\n- Web ihm integrated in API\n- Clamscan extracts embedded files and makes json report\n- Clamscan check password on zip encrypted (ref: https://blog.didierstevens.com/2017/02/15/quickpost-clamav-and-zip-file-decryption/)\n- Extract file from URL with THUG (https://thug-honeyclient.readthedocs.io/en/latest/intro.html) and analysis files extracted\n- Analyse json report and make json trees to consolidate informations\n- Extract patterns (pattern.db) with the ability to use the yara rules\n- Scan embedded files and root file with yara rules (+context informations in externs variables: type, parent type, pattern extract, ...)\n - 2 level of yara rules (order), for gain fast and avoid multi rules (same) for each extension\n - First level: format-specific rule \n - check file type (reg, chm, exe, dll, ...) and potential risk according by extension (script, autopen, ...).Then push (by external variable) check only element linked with extension for level 2\n - check file origin: embed file\n - Second level: global rules same for multi format\n - check if unknown file type (extension): entropy, ...\n - check suspect content file: obfuscate, cypher, packed, ...\n - check dangerous elements (Mitre Attack): registry, command, ... \n - check IOC familly malware (MISP import)\n- Compute risk score\n - Put max score on top of tree\n - Add global score with coefficient mechanism (coef.conf) to max score\n- Extract IOC on yara rules match\n- Extract text from image by OCR\n- Decompile JAR \u0026 CLASS java with procyon\n- Check VirusTotal \u0026 INTEZER \u0026 Hybrid Analysis \u0026 APPANY.RUN \u0026 OTX \u0026 XFORCE \u0026 MISP\n- Create PNG graph for fast analysis\n- Output result tree json in a file\n\n## Interresting tools\n\nMy docker contener contains Static analysis tools and others tools for deep analysis when match to yara rules:\n- Special tools\n - Flash: ffdec\n - Office document \u0026 rtf: oletools (https://github.com/decalage2/oletools)\n - pdf: peepdf (https://github.com/jesparza/peepdf)\n - sdb: python-sdb (https://github.com/williballenthin/python-sdb)\n \n- Decompiler\n - Java: procyon\n - Exe python py2exe: unpy2exe (https://github.com/matiasb/unpy2exe)\n - Exe python PyInstaller: PyInstaller Extractor (https://sourceforge.net/projects/pyinstallerextractor/) or binwalk!\n - Python bytecode (pyc): uncompyle6\n - Autoit: clamav auto extract script\n - VisualBasic \u0026 dotnet: vb decompiler (https://www.vb-decompiler.org/) use with wine\n \n- Emulator/sandbox\n - Vbscript: vmonkey (https://github.com/decalage2/ViperMonkey)\n - javascript:\n - box-js (https://github.com/CapacitorSet/box-js)\n - JsJaws (https://github.com/CybercentreCanada/assemblyline-service-jsjaws)\n - capacity PE/ELF/shellcode: https://github.com/mandiant/capa\n - elf: \n - mbox (https://github.com/tsgates/mbox)\n - zelos (https://github.com/zeropointdynamics/zelos)\n - PE/Shellcode:\n - Cmulator (https://github.com/Coldzer0/Cmulator)\n - wine (http://www.hexacorn.com/blog/2016/12/14/malware-analysis-using-wine/ =\u003e WINEDEBUG=+all wine malware.exe)\n - Speakeasy: (https://github.com/mandiant/speakeasy)\n - Php: \n - https://sandbox.onlinephpfunctions.com/\n - https://github.com/bediger4000/reverse-php-malware\n \n- Debugger/DBI\n - bash: \"bash -x script.sh\"\n - python: \"python -m pdb script.py\"\n - strace: syscall trace\n - ltrace: lib trace\n - frida: frida (https://www.frida.re/)\n \n- Others\n - web analyse: thug (https://github.com/buffer/thug)\n - shellcode extract: scanr (https://github.com/1Project/Scanr)\n - IDX parser: Java_IDX_Parser (https://github.com/Rurik/Java_IDX_Parser)\n - Beautifie js: js-beautify (https://github.com/beautify-web/js-beautify)\n - String Solver: floss (https://github.com/fireeye/flare-floss)\n - firemware analysis: binwalk (https://github.com/ReFirmLabs/binwalk)\n - Samples redteam: atomic-red-team (https://github.com/redcanaryco/atomic-red-team)\n - reverse engineering framework: ghidra (https://github.com/NationalSecurityAgency/ghidra)\n \nYou can use other tools not include in my docker contener:\n- reverse engineering framework: \n - radare2 (https://hub.docker.com/r/radare/radare2/dockerfile https://github.com/radare/radare2)\n - IHM Radare2 cutter (https://cutter.re/)\n- decompiler dotnet: ilspy (https://github.com/bannsec/ilspy_docker)\n- decompiler based on LLVM: retdec (https://github.com/avast-tl/retdec) - retdec-fileinfo identify \"Original language\"\n- sandbox powershell: PSDecode (https://github.com/R3MRUM/PSDecode) - you can use in powershell docker (https://hub.docker.com/_/microsoft-powershell)\n- powershell capacities: https://github.com/pan-unit42/public_tools/tree/master/powershellprofiler\n- java capacities: https://github.com/CybercentreCanada/assemblyline-service-espresso\n- sandbox ruby: safe_ruby (https://github.com/ukutaht/safe_ruby)\n- sandbox python: pysandbox (https://github.com/vstinner/pysandbox)\n- sandbox generic: cuckoo (https://github.com/cuckoosandbox/cuckoo)\n- API call trace: drltrace (https://github.com/mxmssh/drltrace)\n- DBI: pin (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)\n- Reverse Android: androidre (https://github.com/cryptax/androidre)\n- Reverse: radare2 (https://rada.re/r/)\n\n## Usage\n~~~\nStatic analysis by clamav and yara rules -- Contact: lionel.prat9@gmail.com\nUsage: analysis.py [-c /usr/local/bin/clamscan] [-d /tmp/extract_emmbedded] [-p pattern.db] [-s /tmp/graph.png] [-j /tmp/result.json] [-m coef_path] [-g] [-v] [-b password.pwdb] [-i /usr/bin/tesseract] [-l fra] [-V API_KEY_VT] [-J] [-O] -f/-u path_filename/URL -y yara_rules_path1/ -a yara_rules_path2/\n\n\t -h/--help : for help to use\n\n\t -f/--filename= : path of filename to analysis\n\n\t -u/--url= : url analysis use thug\n\n\t -y/--yara_rules_path= : path of rules yara level 1\n\n\t -a/--yara_rules_path2= : path of rules yara level 2\n\n\t -p/--pattern= : path of pattern filename for data miner\n\n\t -b/--password= : path of password clamav (.pwdb see: https://blog.didierstevens.com/2017/02/15/quickpost-clamav-and-zip-file-decryption/)\n\n\t -c/--clamscan_path= : path of binary clamscan [\u003e=0.99.3]\n\n\t -m/--coef_path= : path of coef config file\n\n\t -d/--directory_tmp= : path of directory to extract emmbedded file(s)\n\n\t -j/--json_save= : path filename where save json result (JSON)\n\n\t -i/--image= : path of 'tesseract' for analysis on potential social engenering by image\n\n\t -J/--java_decomp : Java decompile class/jar with procyon (apt-get install procyon-decompiler)\n\n\t -l/--lang_image= : 'tesseract' lang ocr extratc (eng, fra, ...) \n\n\t -g/--graph : generate graphe of analyz\n\n\t -s/--save_graph= : path filename where save graph (PNG)\n\t \n\t -O/--osint : active OSINT (hash, filename, domaine, url)\n\t\tOSINT hybridanalisys env key: HYBRID_KEY\n\t\tOTX env key: OTX_KEY\n\t\tXFORCE env key: XFORCE_KEY \u0026 env pass: XFORCE_PASS\n\t\tVirusTotal env key: VT_KEY\n\t\tMISP env key: MISP_KEY \u0026 MISP env host: MISP_HOST\n\t\tINTEZER env key: INTEZER_KEY\n\n\t -r/--remove= : remove tempory files\n\n\t -V/--virustotal= : API Key\n\n\t -v/--verbose= : verbose mode\n\n\t example: analysis.py -c ./clamav-devel/clamscan/clamscan -f /home/analyz/strange/invoice.rtf -y /home/analyz/yara_rules1/ -a /home/analyz/yara_rules2/ -b /home/analyz/password.pwdb -i /usr/bin/tesseract -l fra -g -O\n\n\t example: analysis.py -c ./clamav-devel/clamscan/clamscan -u www.exploitkit.top/id?000 -y /home/analyz/yara_rules1/ -a /home/analyz/yara_rules2/ -b /home/analyz/password.pwdb -i /usr/bin/tesseract -l fra -g -O\n\nlionel@local:~/static_analysis$ python3 analysis.py -c clamav-devel/clamscan/clamscan -y yara_rules1/ -a yara_rules2/ -j /tmp/log.json -p pattern.db -g -f tests/pdf/jaff.pdf\nStatic analysis by clamav and yara rules -- Contact: lionel.prat9@gmail.com\nCreate directory temp for emmbedded file: /tmp/tmpUee2rj\n\nExtract emmbedded file(s) with clamav...\nAnalyz result...\nFind resultat in json file:/tmp/tmpUee2rj/clamav-028bf4c91d9aac94faca83886b9286c2.tmp...\nPhase one finish!\n\n\n~~~\n\n## PNG report example for jaff\n![alt text](https://github.com/lprat/static_analysis/raw/master/images/analysis_result.png \"Tree analysis created\")\n\n## JSON report example for jaff\n```json\n{\n \"ContainedObjects\": [\n {\n \"ContainedObjects\": [\n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/content-types\\\"\u003e\u003cDefault', 't')\"\n }\n ], \n \"FileMD5\": \"ac4128108023cf8d9a6233069bd79f7a\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1636, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.000\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/relationships\\\"\u003e\u003cRelationship', 'p')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"77bf61733a633ea617a4db76ef769a4d\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 590, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.001\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/relationships\\\"\u003e\u003cRelationship', 'p')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/customXml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/2006/relationships/vbaProject\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"83bb79d7c3592786e13acb56729962ce\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1213, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.002\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/drawing/2014/chartex\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/markup-compatibility/2006\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/math\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/wordprocessingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2012/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2015/wordml/symex\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingGroup\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingInk\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2006/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingShape\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/main\\\"\u003e\u003ca:graphicData', 'a')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/picture\\\"\u003e\u003cpic:pic', 'c')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/picture\\\"\u003e\u003cpic:nvPicPr\u003e\u003cpic:cNvPr', 'r')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/drawing/2010/main\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"452348b0a8f499c7f125ba299731db0a\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 4362, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.003\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/relationships\\\"\u003e\u003cRelationship', 'p')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/2006/relationships/wordVbaData\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"dd79e6440b0515bfcf771c2c5286a2c8\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 277, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.004\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [\n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"1b51a805a2682c24956f156ff25370ff\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 292, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/cbff003cd69100e2ee9bd33df50c21ed_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/cbff003cd69100e2ee9bd33df50c21ed_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://\\\\x00\\\\xec', '\\\\xec')\"\n }\n ], \n \"FileMD5\": \"0df7f5507fcccc3bc22787fe7872e97a\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 584, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/d95679752134a2d9eb61dbd7b91c4bcc_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/d95679752134a2d9eb61dbd7b91c4bcc_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"8b485527ad9d96fe72d3fba385f0ad95\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 97, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/88144fbcb62650fa72c360688f4772c7_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/88144fbcb62650fa72c360688f4772c7_0\"\n ], \n \"RiskScore\": 5, \n \"Yara\": [\n {\n \"OLE_EMBEDDED_OFFICE\": {\n \"description\": \"MS Forms Embedded object\", \n \"score\": 5\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"711e41c84dfaa4cbd891ef22cc4e4670\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 599, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000010/8fa14cdd754f91cc6554c9e71929cce7_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000010/8fa14cdd754f91cc6554c9e71929cce7_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('Templat@eDeriv', '')\"\n }\n ], \n \"FileMD5\": \"8a01d7813c6dc6dddf8398f15e45756f\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1897, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/5f51988f4ee5c4069990859c24855c57_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/5f51988f4ee5c4069990859c24855c57_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"fcc31d50fc38f37137eb5b2cf2992049\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1504, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/bad8252681321a1d94d0718a0815fac9_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/bad8252681321a1d94d0718a0815fac9_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('OptionButton1k@0', '')\"\n }, \n {\n \"EMAIL\": \"('OptionButton2l@0', '')\"\n }\n ], \n \"FileMD5\": \"0eed2de1ef79e6ce4a26385fd5179d5e\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 6394, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/ae4f6474bee50ccdf1a6b853ba8ad32a_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/ae4f6474bee50ccdf1a6b853ba8ad32a_0\"\n ], \n \"RiskScore\": 4, \n \"Yara\": [\n {\n \"Autorun_VBA_OFFICE\": {\n \"description\": \"Macro autorun\", \n \"score\": 4\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('Hr2d2_@c3po', '')\"\n }, \n {\n \"EMAIL\": \"('cF@reshID', '')\"\n }, \n {\n \"EMAIL\": \"('ob@jWMISe', '')\"\n }\n ], \n \"FileMD5\": \"828a327f1ddc838d4a8c19619cebfee8\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 3030, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/007ccaa83aa7674f1166352c3605b85c_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/007ccaa83aa7674f1166352c3605b85c_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('tp@d', '')\"\n }\n ], \n \"FileMD5\": \"c81239f4227f76858b5e2a5bd59afa0e\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 9634, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/a63bcda17f702e84c1b7056f6d8c5f3a_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/a63bcda17f702e84c1b7056f6d8c5f3a_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('SF@Cs', '')\"\n }, \n {\n \"EMAIL\": \"('VBE@a', '')\"\n }\n ], \n \"FileMD5\": \"54c9cc25c5082fee750c4e05196a595b\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 945, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/736007832d2167baaae763fd3a3f3cf1_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/736007832d2167baaae763fd3a3f3cf1_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"d34c4883d74d420deb12df91f806b869\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1158, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/69bb302a1ba85bde463b0b6faaea307a_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/69bb302a1ba85bde463b0b6faaea307a_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('co,lI@BA', '')\"\n }, \n {\n \"EMAIL\": \"('agReturn@Immedi', '')\"\n }, \n {\n \"EMAIL\": \"('Vb@Method', '')\"\n }, \n {\n \"EMAIL\": \"('g43ff4@f.net', '')\"\n }\n ], \n \"FileMD5\": \"0ceca08df2cc3d69bdf6852ca2e341ce\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 6783, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/000001/f9cce95db5c816a935906a713c78aff5_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/000001/f9cce95db5c816a935906a713c78aff5_0\"\n ], \n \"RiskScore\": 5, \n \"Yara\": [\n {\n \"Filesystem_Vba_OFFICE\": {\n \"description\": \"Macro acces file system object with AutoOpen\", \n \"score\": 5\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"504c824e56e508c488c2f87a63d847d9\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 155, \n \"FileType\": \"CL_TYPE_BINARY_DATA\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/7fdc011725f5de6d8e10d5fc95398f30_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/7fdc011725f5de6d8e10d5fc95398f30_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"f2a98e8d16b27939c3cbdef3bebbdc1c\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2||||-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 666, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-1850c820caed3a2ef0bd9f90767cee2d.tmp/46f86faa6bbf9ac94a7e459509a20ed0_0\", \n \"/tmp/tmpUee2rj/clamav-47fe5aa763775ab138ffb62ea46690b5.tmp/46f86faa6bbf9ac94a7e459509a20ed0_0\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"bcbe7dbf9f99c4e0e534c3a2ac4f6ab4\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2\", \n \"FileSize\": 382, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-48b2068c734e0dd2524018b91bdc11f1.tmp\"\n ], \n \"RiskScore\": 4, \n \"Yara\": [\n {\n \"Autorun_VBA_OFFICE\": {\n \"description\": \"Macro autorun\", \n \"score\": 4\n }\n }\n ]\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"ef4e50431c649c188d1a98d2f303d7a5\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2\", \n \"FileSize\": 340, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-e2dd3b37165650823319a0a29d38ef8f.tmp\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"0d51f172a35e98a1bb73438b694e52ab\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2\", \n \"FileSize\": 650, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-9ccce68e0439e9037ff734e27b28b998.tmp\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"95a55e38861c99daf23ce36d40a101d9\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2\", \n \"FileSize\": 5682, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-f1a4e0a4bbef215ddbd1d85d2681e7bd.tmp\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"6ed1b03a4828d15bca41ac0d6604e763\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2\", \n \"FileSize\": 1240, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-a5674c419d8687d2de2fb5db2fafc049.tmp\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"621e099c1b10736db897668de89afb0b\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_MSOLE2\", \n \"FileSize\": 3384, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-f1803c916e78e329874565085182796e.tmp\"\n ], \n \"RiskScore\": 5, \n \"Yara\": [\n {\n \"Filesystem_Vba_OFFICE\": {\n \"description\": \"Macro acces file system object with AutoOpen\", \n \"score\": 5\n }\n }\n ]\n }\n ], \n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('Templat@eDeriv', '')\"\n }, \n {\n \"EMAIL\": \"('tp@d', '')\"\n }, \n {\n \"EMAIL\": \"('Hr2d2_@c3po', '')\"\n }, \n {\n \"EMAIL\": \"('cF@reshID', '')\"\n }, \n {\n \"EMAIL\": \"('ob@jWMISe', '')\"\n }, \n {\n \"EMAIL\": \"('SF@Cs', '')\"\n }, \n {\n \"EMAIL\": \"('co,lI@BA', '')\"\n }, \n {\n \"EMAIL\": \"('agReturn@Immedi', '')\"\n }, \n {\n \"EMAIL\": \"('Vb@Method', '')\"\n }, \n {\n \"EMAIL\": \"('g43ff4@f.net', '')\"\n }, \n {\n \"EMAIL\": \"('OptionButton1k@0', '')\"\n }, \n {\n \"EMAIL\": \"('OptionButton2l@0', '')\"\n }, \n {\n \"EMAIL\": \"('VBE@a', '')\"\n }, \n {\n \"URI\": \"('http://\\\\x00\\\\xec', '\\\\xec')\"\n }\n ], \n \"FileMD5\": \"d45c11614628b38df9301bccf18c67f4\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 39936, \n \"FileType\": \"CL_TYPE_MSOLE2\", \n \"HasMacros\": true, \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.005\"\n ], \n \"RiskScore\": 5, \n \"Streams\": [\n \"o\", \n \"_1_compobj\", \n \"_3_vbframe\", \n \"f\", \n \"projectwm\", \n \"window1\", \n \"thisdocument\", \n \"_vba_project\", \n \"module1\", \n \"module3\", \n \"module2\", \n \"strix\", \n \"dir\", \n \"project\"\n ], \n \"Yara\": [\n {\n \"Autorun_VBA_OFFICE\": {\n \"description\": \"Macro autorun\", \n \"score\": 4\n }\n }, \n {\n \"OLE_EMBEDDED_OFFICE\": {\n \"description\": \"MS Forms Embedded object\", \n \"score\": 5\n }\n }, \n {\n \"Contains_VBA_macro_code\": {\n \"description\": \"Detect a MS Office document with embedded VBA macro code\", \n \"score\": 4\n }\n }, \n {\n \"Filesystem_Vba_OFFICE\": {\n \"description\": \"Macro acces file system object with AutoOpen\", \n \"score\": 5\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('Im,@K', '')\"\n }, \n {\n \"IPV6\": \"::\"\n }\n ], \n \"FileMD5\": \"e932c3ba84ba2136bbe887b1254afb01\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 20595, \n \"FileType\": \"CL_TYPE_GRAPHICS\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.006\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/thememl/2012/main\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"3191d541839e4d100931377c4c66e0a1\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 6850, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.007\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/markup-compatibility/2006\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/math\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/wordprocessingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2012/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2015/wordml/symex\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/schemaLibrary/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"0e05f5fa4d7d9ba3d121e3256b258612\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 10483, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.008\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/drawing/2014/chartex\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/markup-compatibility/2006\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/math\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/wordprocessingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2012/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2015/wordml/symex\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingGroup\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingInk\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2006/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordprocessingShape\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"50cc63ff6a12de92356de52f57adf3e3\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1828, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.009\"\n ], \n \"RiskScore\": 4, \n \"Yara\": [\n {\n \"Autorun_VBA_OFFICE\": {\n \"description\": \"Macro autorun\", \n \"score\": 4\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/relationships\\\"\u003e\u003cRelationship', 'p')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships/customXmlProps\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"7e5e23715ab49ce56f9130d4c6534a30\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 296, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.010\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/customXml\\\"\u003e\u003cds:schemaRefs\u003e\u003cds:schemaRef', 'f')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/bibliography\\\"/\u003e\u003c/ds:schemaRefs\u003e\u003c/ds:datastoreItem\u003e', '')\"\n }\n ], \n \"FileMD5\": \"17882ebab97c0d9c2098e1e489d6b49c\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 341, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.011\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/bibliography\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/bibliography\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"217ee5ba5f9835428ff1ab7501faf018\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 306, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.012\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/extended-properties\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes\\\"\u003e\u003cTemplate\u003eNormal.dotm\u003c/Template\u003e\u003cTotalTime\u003e0\u003c/TotalTime\u003e\u003cPages\u003e2\u003c/Pages\u003e\u003cWords\u003e1\u003c/Words\u003e\u003cCharacters\u003e6\u003c/Characters\u003e\u003cApplication\u003eMicrosoft', 't')\"\n }\n ], \n \"FileMD5\": \"e4dc388c5b665ba7030de6e50cde8add\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 993, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.013\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/package/2006/metadata/core-properties\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://purl.org/dc/elements/1.1/\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://purl.org/dc/terms/\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://purl.org/dc/dcmitype/\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://www.w3.org/2001/XMLSchema-instance\\\"\u003e\u003cdc:title\u003e\u003c/dc:title\u003e\u003cdc:subject\u003e\u003c/dc:subject\u003e\u003cdc:creator\u003e1\u003c/dc:creator\u003e\u003ccp:keywords\u003e\u003c/cp:keywords\u003e\u003cdc:description\u003e\u003c/dc:description\u003e\u003ccp:lastModifiedBy\u003e1\u003c/cp:lastModifiedBy\u003e\u003ccp:revision\u003e2\u003c/cp:revision\u003e\u003cdcterms:created', 'd')\"\n }\n ], \n \"FileMD5\": \"abd46fbaf5ad78913bc85bfe69385a8c\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 959, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.014\"\n ], \n \"RiskScore\": 6, \n \"Yara\": [\n {\n \"XMLHTTP_Vba_OFFICE\": {\n \"description\": \"Macro use XMLHTTP\", \n \"score\": 4\n }\n }, \n {\n \"Download_Vba_OFFICE\": {\n \"description\": \"Macro use download function with AutoOpen\", \n \"score\": 6\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/markup-compatibility/2006\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/wordprocessingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2012/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2015/wordml/symex\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"3cdd557e84bbb1f9815c181f8ed4c245\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 29715, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.015\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/markup-compatibility/2006\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/wordprocessingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2012/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2015/wordml/symex\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"d6147024db17aa5d980f14b31fb1461f\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 1299, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.016\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"('http://schemas.openxmlformats.org/markup-compatibility/2006\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/officeDocument/2006/relationships\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.openxmlformats.org/wordprocessingml/2006/main\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2010/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2012/wordml\\\"', '\\\"')\"\n }, \n {\n \"URI\": \"('http://schemas.microsoft.com/office/word/2015/wordml/symex\\\"', '\\\"')\"\n }\n ], \n \"FileMD5\": \"261ba76e04bd8ddbd0f4e7a50d02f4c7\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF-\u003eCL_TYPE_OOXML_WORD-\u003eCL_TYPE_TEXT_ASCII\", \n \"FileSize\": 576, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-db2fb8735edd56037594f963ea05195f.tmp/zip.017\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }\n ], \n \"CoreProperties\": {\n \"Attributes\": {\n \"cp\": \"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\", \n \"dc\": \"http://purl.org/dc/elements/1.1/\", \n \"dcmitype\": \"http://purl.org/dc/dcmitype/\", \n \"dcterms\": \"http://purl.org/dc/terms/\", \n \"xsi\": \"http://www.w3.org/2001/XMLSchema-instance\"\n }, \n \"Author\": {\n \"Value\": [\n 1\n ]\n }, \n \"ContentStatus\": {\n \"Value\": [\n \"Microsoft.XMLHTTPLOVEISAdodb.streaMLOVEISshell.ApplicationLOVEISWscript.shellLOVEISProcessLOVEISGeTLOVEISTeMPLOVEISTypeLOVEISopenLOVEISwriteLOVEISresponseBodyLOVEISsavetofileLOVEIS\\\\drefudre.exe\"\n ]\n }, \n \"Created\": {\n \"Value\": [\n \"2017-05-15T09:18:00Z\"\n ]\n }, \n \"Description\": {}, \n \"Keywords\": {}, \n \"LastAuthor\": {\n \"Value\": [\n 1\n ]\n }, \n \"Modified\": {\n \"Value\": [\n \"2017-05-15T09:18:00Z\"\n ]\n }, \n \"Revision\": {\n \"Value\": [\n 2\n ]\n }, \n \"Subject\": {}, \n \"Title\": {}\n }, \n \"CorePropertiesFileCount\": 1, \n \"ExtendedProperties\": {\n \"AppVersion\": {\n \"Value\": [\n \"16.0000\"\n ]\n }, \n \"Application\": {\n \"Value\": [\n \"Microsoft Office Word\"\n ]\n }, \n \"Attributes\": {\n \"vt\": \"http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes\", \n \"xmlns\": \"http://schemas.openxmlformats.org/officeDocument/2006/extended-properties\"\n }, \n \"Characters\": {\n \"Value\": [\n 6\n ]\n }, \n \"CharactersWithSpaces\": {\n \"Value\": [\n 6\n ]\n }, \n \"Company\": {}, \n \"DocSecurity\": {\n \"Value\": [\n 0\n ]\n }, \n \"HyperlinksChanged\": {\n \"Value\": [\n false\n ]\n }, \n \"Lines\": {\n \"Value\": [\n 1\n ]\n }, \n \"LinksUpToDate\": {\n \"Value\": [\n false\n ]\n }, \n \"Pages\": {\n \"Value\": [\n 2\n ]\n }, \n \"Paragraphs\": {\n \"Value\": [\n 1\n ]\n }, \n \"ScaleCrop\": {\n \"Value\": [\n false\n ]\n }, \n \"SharedDocs\": {\n \"Value\": [\n false\n ]\n }, \n \"Template\": {\n \"Value\": [\n \"Normal.dotm\"\n ]\n }, \n \"TotalTime\": {\n \"Value\": [\n 0\n ]\n }, \n \"Words\": {\n \"Value\": [\n 1\n ]\n }\n }, \n \"ExtendedPropertiesFileCount\": 1, \n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('Im,@K', '')\"\n }, \n {\n \"IPV6\": \"::\"\n }, \n {\n \"IPV6\": \"::\"\n }, \n {\n \"IPV6\": \"::\"\n }\n ], \n \"FileMD5\": \"f115d1fe4f579841c054b03d1ba29c97\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF\", \n \"FileSize\": 55486, \n \"FileType\": \"CL_TYPE_OOXML_WORD\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf00_01i\"\n ], \n \"RiskScore\": 4, \n \"Yara\": [\n {\n \"Contains_VBA_macro_code\": {\n \"description\": \"Detect a MS Office document with embedded VBA macro code\", \n \"score\": 4\n }\n }\n ]\n }, \n {\n \"ExtractInfo\": [\n {\n \"URI\": \"(\\\"http://www.geoplugin.net/json.gp?jsoncallback=JSON_CALLBACK').then(function\\\", 'n')\"\n }\n ], \n \"FileMD5\": \"4f1d0119bae3797e905b2e8f2f92df90\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF\", \n \"FileSize\": 6432, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf01_01i\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"19874245d5e732f1073758e3a9431e5d\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF\", \n \"FileSize\": 67, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf03_01i\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ExtractInfo\": [], \n \"FileMD5\": \"caf34a525d2c871e6df8233afb84beea\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF\", \n \"FileSize\": 16, \n \"FileType\": \"CL_TYPE_TEXT_ASCII\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf04\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }, \n {\n \"ContainedObjects\": [], \n \"ExtractInfo\": [], \n \"FileMD5\": \"d41d8cd98f00b204e9800998ecf8427e\", \n \"FileParentType\": \"-\u003eCL_TYPE_PDF\", \n \"FileSize\": 0, \n \"FileType\": \"CL_TYPE_UNKNOWN\", \n \"PathFile\": [\n \"/tmp/tmpUee2rj/clamav-045d58bc73c112b37f188cb704ca54f6.tmp/pdf02\"\n ], \n \"RiskScore\": 0, \n \"Yara\": []\n }\n ], \n \"ExtractInfo\": [\n {\n \"EMAIL\": \"('Z7@0j', '')\"\n }\n ], \n \"FileMD5\": \"eb680f46c268e6eac359b574538de569\", \n \"FileSize\": 53257, \n \"FileType\": \"CL_TYPE_PDF\", \n \"GlobalRiskScore\": 6, \n \"GlobalRiskScoreCoef\": 1, \n \"Magic\": \"CLAMJSONv0\", \n \"PDFStats\": {\n \"CreationDate\": \"D:20170515122212+03'00'\", \n \"Creator\": \"8026155\", \n \"DeflateObjectCount\": 4, \n \"EmbeddedFileCount\": 1, \n \"ImageCount\": 1, \n \"JavaScriptObjectCount\": 3, \n \"JavascriptObjects\": [\n 7, \n 13, \n 14\n ], \n \"ModificationDate\": \"D:20170515122212+03'00'\", \n \"ObjectsWithoutDictionaries\": [\n 3\n ], \n \"OpenActionCount\": 1, \n \"PDFVersion\": \"1.4\", \n \"PageCount\": 1, \n \"Producer\": \"\\u5469\\u7865\\u5374\\u6168\\u7072\\u2092\\u2e35\\u2e35\\u3031\\ua920\\u3032\\u3030\\u322d\\u3130\\u2036\\u5469\\u7865\\u2074\\u7247\"\n }, \n \"RiskScore\": 0, \n \"RootFileType\": \"CL_TYPE_PDF\", \n \"TempDirExtract\": \"/tmp/tmpUee2rj\", \n \"Yara\": []\n}\n```\n\n## Requirements\n\n- clamav\n- python3: see requirements.txt [use docker]\n- For Image OCR: tesseract-ocr-all (deb)\n- For decompil java: procyon-decompiler (deb)\n\n## Install\n\n~~~\nRecompile clamav with json options and HARDENING compilation\n./remake_clamav.sh\n~~~\n\n### Docker install\n\n~~~\ngit clone https://github.com/lprat/static_file_analysis\ncd static_file_analysis/docker\nmkdir /tmp/samples \u0026\u0026 cp file_to_analyz.pdf /tmp/samples\ndocker-compose run sfa\n$python3 analysis.py -c ./clamav-devel/clamscan/clamscan -f samples/file_to_analyz.pdf -y yara_rules1/ -a yara_rules2/ -b password.pwdb -i /usr/bin/tesseract -l fra -g -O -v \u0026\u003e /tmp/log\n~~~\n\n### Docker install API REST\n\n~~~\ngit clone https://github.com/lprat/static_file_analysis\ncd static_file_analysis/docker\n#edit file docker-compose_api.yaml and change ENV APIKEY \u0026 UPDATE PROXY (if need)\ndocker-compose -f docker-compose_api.yml run sfa\n~~~\n\n## Configure\n\n- coef.conf : file configuration for evaluating coefficient score\n- pattern.db : file configuration with extracting pattern\n- yara_rules1/ : directory which contains yara rules level 1\n- yara_rules2/ : directory which contains yara rules level 2\n- password.pwdb : file contains password database to try open zip with password\n\n## Make your own yara rules\n\nTo create yara rules with this tool, you must use meta field:\n- description: description of the rule\n- weight: the score of the rule\n- var_match: optionnal, you can add extern var if rule match for subsequent check (variable global - on all files)\n- check_level2: optionnal, you can add extern var used to choice level 2 check (value: \"check_command_bool,check_registry_bool\") (variable local - only on current files)\n- ids: extract ioc from YARA rules match \"strings\" (https://yara.readthedocs.io/en/v3.8.1/yarapython.html#yara.Match) and output in json result on 'ioc' and 'globalIOC'. You choice category IOC, example: ids = \"win_api\" then create ioc{'win_api': ['first string found by yara match', 'second string found by yara match', ...]}\n\nYou can use extern variables build with clamav context and send them to yara with python script (analysis.py):\n- PathFile: filename and path\n- FileParentType: parent type of file, it's written as clamav output\n- FileType: Type of current file, it's written as clamav output\n- FileSize: Size of current fuke\n- FileMD5: MD5 of current file\n- CDBNAME: Original name of current file (exemple in MACRO file, or CHM file...)\n- zip_crypt_bool: Zip file with password (crypted)\n- EMBED_FILES: if zip file with password, variable contains filenames in zip file\n- image2text: if image file you can extract text with ocr (tesseract =\u003e !! attention Leptonica have CVE-2018..., on debian, tesseract compiled with hardening option security)\n- serr: Debug flux of clamav\n- vt_detected/vt_positives_int/vt_total_int/vt_scan_date: Virus total result\n- now_7_int: timstamp of now-7j\n- All variables make in json report of clamav\n- All informations extracted by pattern match\n\nCheck in path yara_rules for view samples! \n\n## Use tool in CRITS\n\nI added this tool in CRITS services. I created pull request in CRITS service but it's not validated yet , but you can use my github repository so far.\n\n[Collaborative Research Into Threats - CRITS](https://crits.github.io/)\n\n[Github CRITS services](https://github.com/crits/crits_services)\n\n[My Github account of modified CRITS services](https://github.com/lprat/crits_services/tree/extract_embedded_service)\n\n## Use IHM WEB\n\nRun docker compose or docker run for launch api\n(docker lprat\\sfa on cloud)\n~~~\ndocker-compose -f ./docker-compose_api.yml up -d\nor\ndocker run -ti -e \"API_KEY=myapikey\" -p 8000:8000 docker_sfa\n~~~\n\nWith your favorite browser go to https://$IP:8000/\n\n## Use API REST\n\nRun docker compose or docker run for launch api\n(docker lprat\\sfa on cloud)\n~~~\ndocker-compose -f ./docker-compose_api.yml up -d\nor\ndocker run -ti -e \"API_KEY=myapikey\" -p 8000:8000 docker_sfa\n~~~\n\nRequest on port 8000:\n\n~~~\nCheck File:\ncurl -k -F 'file=@/home/lionel/malwares/calc.xll' -H \"x-api-key: mykeyapi\" https://127.0.0.1:8000/api/sfa_check_file\nCheck URL:\ncurl -k --header \"Content-Type: application/json\" --request POST --data '{\"url\":\"http://www.google.fr\"}' -H \"x-api-key: mykeyapi\" https://127.0.0.1:8000/api/sfa_check_url\n\nReturn JSON:\n{\"graph.png\":\"/download/700c4644ec40bfdada4502ffd5cb1411\",\"result.json\":\"/download/9b9c453dc45b665c596b0f58c1c272b1\",\"risk_score\":4,\"trace-serr.debug\":\"/download/d41d8cd98f00b204e9800998ecf8427e\",\"trace-sout.debug\":\"/download/ef59eb8e65035a1064c1c32565bc0e74\",\"ef59eb8e65035a1064c1c32565bc0000\":\"/download/ef59eb8e65035a1064c1c32565bc000\"}\n\"ef59eb8e65035a1064c1c32565bc0000\": for download embed file md5\n\nDownload file embed/json result/graph/...\ncurl -k -X 'POST' -H \"x-api-key: mykeyapi\" https://127.0.0.1:8000/download/ef59eb8e65035a1064c1c32565bc0000\n~~~\n\n## Use reverse proxy for API or IHM web\n\nConfig exemple for nginx:\n~~~\nserver {\n listen $IP:443 ssl;\n server_name sfa.$yourdomain;\n location / {\n# Use certificate auth\n# if ($ssl_client_verify != SUCCESS) {\n# return 403;\n# }\n# if ($ssl_client_s_dn_cn = \"NAME-On-Cert\") {\n# return 403;\n# }\n# Use login/password auth\n# auth_basic \"Authentification\";\n# auth_basic_user_file /etc/nginx/.passwdweb;\n proxy_pass_request_headers on;\n proxy_set_header Host $host;\n proxy_set_header X-Forwarded-Host $host;\n proxy_set_header X-Forwarded-Server $host;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_set_header X-Real-IP $remote_addr;\n# Docker IP\n proxy_pass https://172.17.0.1:8000;\n }\n}\n~~~\n\n## Extra\nIn Sigma_rules, you can find rule format SIGMA for detect files to analyse.\n\n## Greetz\n - clamav community\n - yara community\n - Stéphane L.\n\n## Contact\n\nlionel.prat9@gmail.com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flprat%2Fstatic_file_analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flprat%2Fstatic_file_analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flprat%2Fstatic_file_analysis/lists"}