mirror of https://github.com/MISP/misp-modules
parent
352f9ec2ed
commit
2db845c45c
|
@ -162,10 +162,10 @@ def handler(q=False):
|
||||||
for part in message.walk():
|
for part in message.walk():
|
||||||
filename = part.get_filename()
|
filename = part.get_filename()
|
||||||
if filename is not None:
|
if filename is not None:
|
||||||
|
results.append({"values": filename, "types": ['email-attachment']})
|
||||||
attachment_data = part.get_payload(decode=True)
|
attachment_data = part.get_payload(decode=True)
|
||||||
# Base attachment data is default
|
# Base attachment data is default
|
||||||
attachment_files = [{"values": filename,
|
attachment_files = [{"values": filename, "data": base64.b64encode(attachment_data).decode()}]
|
||||||
"data": base64.b64encode(attachment_data).decode()}]
|
|
||||||
if unzip is True: # Attempt to unzip the attachment and return its files
|
if unzip is True: # Attempt to unzip the attachment and return its files
|
||||||
try:
|
try:
|
||||||
attachment_files += get_zipped_contents(filename, attachment_data)
|
attachment_files += get_zipped_contents(filename, attachment_data)
|
||||||
|
@ -180,10 +180,9 @@ def handler(q=False):
|
||||||
attachment_files[0]['comment'] = """Original Zipped Attachment with Password {0}""".format(password)
|
attachment_files[0]['comment'] = """Original Zipped Attachment with Password {0}""".format(password)
|
||||||
attachment_files += get_zipped_contents(filename, attachment_data, password=password)
|
attachment_files += get_zipped_contents(filename, attachment_data, password=password)
|
||||||
except zipfile.BadZipFile: # Attachment is not a zipfile
|
except zipfile.BadZipFile: # Attachment is not a zipfile
|
||||||
attachment_files += [{"values": filename,
|
attachment_files += [{"values": filename, "data": base64.b64encode(attachment_data).decode()}]
|
||||||
"data": base64.b64encode(attachment_data).decode()}]
|
|
||||||
for attch_item in attachment_files:
|
for attch_item in attachment_files:
|
||||||
attch_item["types"] = ['attachment']
|
attch_item["types"] = ['malware-sample']
|
||||||
results.append(attch_item)
|
results.append(attch_item)
|
||||||
else: # Check email body part for urls
|
else: # Check email body part for urls
|
||||||
if (extract_urls is True and part.get_content_type() == 'text/html'):
|
if (extract_urls is True and part.get_content_type() == 'text/html'):
|
||||||
|
|
Loading…
Reference in New Issue