forked from idiom/IRScripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dridex-xml.py
54 lines (42 loc) · 1.34 KB
/
dridex-xml.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from BeautifulSoup import BeautifulSoup
import base64
import zlib
import sys
import os.path
'''
Extract compressed Dridex document from xml file.
'''
def extract_data(filename):
try:
print 'Processing File: %s' % filename
dat = open(filename,'r').read()
soup = BeautifulSoup(dat)
print ' Finding bindata section'
bindat = base64.b64decode(soup.findAll("w:bindata")[0].contents[0])
print ' Finding compressed doc'
start = bindat.find('\x78\x9c')
end = bindat.find('\x00\x00\x0d')
if start < 0 or end < 0:
print 'Error! Compressed section not found...'
sys.exit(-1)
print ' Detected compressed file [%d:%d]' % (start, end)
cdoc = bindat[start:end]
print ' Extracting compressed doc'
payload = zlib.decompress(cdoc)
of = open('%s-extracted','wb')
of.write(payload)
of.close()
print '...done'
except Exception as e:
print 'Something went wrong extracting the doc'
print e
def main(targetfile):
if os.path.exists(targetfile):
extract_data(targetfile)
else:
sys.exit("Error: File %s doesn't exist" % targetfile)
return 0
if __name__ == '__main__':
main(sys.argv[1])