decalage2/extract_iocs.py

## extract_iocs.py
import sys, zipfile
from oletools.olevba import detect_patterns
# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md

fname = sys.argv[1]
print(f'Opening {fname}')
if zipfile.is_zipfile(fname):
    print('filetype: OpenXML or Zip')
    z = zipfile.ZipFile(fname)
    for f in z.infolist():
        print(f'- subfile: {f.filename}')
        data = z.read(f).decode('utf8', errors='replace')
        for description, value in detect_patterns(data):
            if not value.startswith('http://schemas.openxmlformats.org/') \
                and not value.startswith('http://schemas.microsoft.com/') \
                and not value.startswith('http://purl.org/') \
                and not value.startswith('http://www.w3.org/'):
                    print(f'    {value} - {description}')
    z.close()
	import sys, zipfile
	from oletools.olevba import detect_patterns
	# samples: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Donot/17-09-19/Malware%20analysis.md

	fname = sys.argv[1]
	print(f'Opening {fname}')
	if zipfile.is_zipfile(fname):
	print('filetype: OpenXML or Zip')
	z = zipfile.ZipFile(fname)
	for f in z.infolist():
	print(f'- subfile: {f.filename}')
	data = z.read(f).decode('utf8', errors='replace')
	for description, value in detect_patterns(data):
	if not value.startswith('http://schemas.openxmlformats.org/') \
	and not value.startswith('http://schemas.microsoft.com/') \
	and not value.startswith('http://purl.org/') \
	and not value.startswith('http://www.w3.org/'):
	print(f' {value} - {description}')
	z.close()