Added Basic OfficeParser

src/generic.py

@@ -17,6 +17,7 @@
 import hashlib
 from yara_match import YaraClass
 import math
+from office_parser import OfficeParser
 
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
@@ -170,6 +171,9 @@ def check_mime(self):
                 #print self.magic_mime
                 if self.magic_mime in self.mime_with_macro_office.values():
                         logger.info('Office File {} mime {}'.format(self.file_path, self.magic_mime))
+			obj = OfficeParser(self.file_path)
+			results =  obj.analysis()
+			self.file_meta['features'] = results
                         logger.info('Sending File to office_extractor')
                 elif self.magic_mime in self.mime_with_macro_pdf.values()[0]:
                         logger.info('Pdf File {} mime {}'.format(self.file_path, self.magic_mime))

src/office_parser.py

@@ -0,0 +1,34 @@
+import sys
+from oletools import olevba
+
+class OfficeParser():
+    def __init__(self,sample):
+        self.sample = sample
+        self.results = {}
+
+    def extract_macro(self):
+        vba = olevba.VBA_Parser(self.sample)
+        macro_code = ""
+
+        if vba.detect_vba_macros():
+            for (filename, stream_path, vba_filename, vba_code) in vba.extract_macros():
+                macro_code += olevba.filter_vba(vba_code)
+
+            self.results["analysis"] = vba.analyze_macros()
+
+            self.results["code"] = macro_code
+            vba.close()
+            return self.results
+
+        vba.close()
+        return False
+
+    def analysis(self):
+        return self.extract_macro()
+
+if __name__ == '__main__':
+    obj = OfficeParser(sys.argv[1])
+    results =  obj.analysis()
+    for r in results["analysis"]:
+        print r
+    print "code: %s" % results["code"]