Improve support of email attachments

Related to #90
pull/91/head
Raphaël Vinot 2017-01-07 14:39:52 -05:00
parent 352f9ec2ed
commit 2db845c45c
1 changed files with 4 additions and 5 deletions

View File

@ -162,10 +162,10 @@ def handler(q=False):
for part in message.walk(): for part in message.walk():
filename = part.get_filename() filename = part.get_filename()
if filename is not None: if filename is not None:
results.append({"values": filename, "types": ['email-attachment']})
attachment_data = part.get_payload(decode=True) attachment_data = part.get_payload(decode=True)
# Base attachment data is default # Base attachment data is default
attachment_files = [{"values": filename, attachment_files = [{"values": filename, "data": base64.b64encode(attachment_data).decode()}]
"data": base64.b64encode(attachment_data).decode()}]
if unzip is True: # Attempt to unzip the attachment and return its files if unzip is True: # Attempt to unzip the attachment and return its files
try: try:
attachment_files += get_zipped_contents(filename, attachment_data) attachment_files += get_zipped_contents(filename, attachment_data)
@ -180,10 +180,9 @@ def handler(q=False):
attachment_files[0]['comment'] = """Original Zipped Attachment with Password {0}""".format(password) attachment_files[0]['comment'] = """Original Zipped Attachment with Password {0}""".format(password)
attachment_files += get_zipped_contents(filename, attachment_data, password=password) attachment_files += get_zipped_contents(filename, attachment_data, password=password)
except zipfile.BadZipFile: # Attachment is not a zipfile except zipfile.BadZipFile: # Attachment is not a zipfile
attachment_files += [{"values": filename, attachment_files += [{"values": filename, "data": base64.b64encode(attachment_data).decode()}]
"data": base64.b64encode(attachment_data).decode()}]
for attch_item in attachment_files: for attch_item in attachment_files:
attch_item["types"] = ['attachment'] attch_item["types"] = ['malware-sample']
results.append(attch_item) results.append(attch_item)
else: # Check email body part for urls else: # Check email body part for urls
if (extract_urls is True and part.get_content_type() == 'text/html'): if (extract_urls is True and part.get_content_type() == 'text/html'):