Skip to main content

Malicious Macro Bot: Python module to classify and cluster Microsoft office documents. Uses machine learning techniques to determine if VBA code is malicious or benign and groups similar documents together.

Project description

The main goals of this project are to: * Provide a powerful malicious file triage tool for cyber responders. * Help fill existing detection gaps for malicious office documents, which are still a very prevalent attack vector today. * Deliver a new avenue for threat intelligence, a way to group similar malicious office documents together to identify phishing campaigns and track use of specific malicious document templates.

These goals are achieved through clever feature engineering and applied machine learning techniques like Random Forest and TF-IDF.


Installation

sudo pip install mmbot

That’s it! Otherwise checkout the source on this git repo.

Usage Examples

Triage office files with five lines of code

Import, instantiate, predict:

from mmbot import MaliciousMacroBot
mmb = MaliciousMacroBot()
mmb.mmb_init_model()
result = mmb.mmb_predict('./your_path/your_file.xlsm', datatype='filepath')
print result.iloc[0]

Note: mmb_predict() returns a Pandas DataFrame. If you are unfamiliar with Pandas DataFrames, there is a helper function that can be used to convert a useful summary of the prediction result to json.

Convert result from Pandas DataFrame to json

print mmb.mmb_prediction_to_json(prediction)

This package was designed for flexibility. The mmb_predict() function will take in single office documents as a path to the specific file, as a path to a directory and recursively analyze all files in the path and subdirectories, as a raw byte stream of a file passed to it, or as a string of already extracted vba text that a different tool already processed. Finally, all of these options can be done in bulk mode, where the input is a Pandas DataFrame. The method will decide how to handle it based on the “datatype” argument and the actual python object type passed in.

More Information

Python 3 not fully supported. One package dependency is not working in Python 3.5 and higher, but once that is updated the rest of this project is ready to support Python 3.

License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mmbot-1.0.4.tar.gz (863.9 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page