Skip to main content

QuickSand is a module to scan streams inside documents with Yara

Project description

QuickSand Version 2

QuickSand Python Package and Command Line Tool

QuickSand is a Python-based analysis framework to analyze suspected malware documents to identify exploits in streams of different encodings or compressions. QuickSand supports documents, PDFs, Mime/Email, Postscript and other common formats. A built-in command line tool can process a single document or directory of documents.

QuickSand scans within the decoded streams of documents and PDFs using Yara signatures to identify exploits or high risk active content.

A hosted version is available to try without any installation at scan.tylabs.com.

Files:

  • src/quicksand/quicksand.py: Main quicksand class and CLI tool

  • src/quicksand/quicksand_exe.yara: Yara rules to detect executables.

  • src/quicksand/quicksand_exploits.yara: Yara rules to detect exploits in documents.

  • src/quicksand/quicksand_pdf.yara: Yara rules to detect exploits in PDFs.

  • bin/quicksand: Command line tool.

  • requirements.txt: Python dependencies

  • lambda/ Optional AWS Lambda functions

With Thanks to the Creators of:

  • pdfreader

  • oletools

  • cryptography

  • zipfile38

  • olefile

  • yara-python (version 4.3.0 or higher required)

  • yara

Installation from Pypi using pip

pip3 install quicksand

Upgrade from Pypi using pip

pip3 install --upgrade quicksand

Install from source

If you want to install from the source, such as the uicksand-main.zip downloaded from GitHub:

pip3 install quicksand-main.zip

Command Line Usage

A command line tool for quicksand to process and output json or txt results.

usage: quicksand [-h] [-v] [-c] [-y] [-t TIMEOUT] [-e EXPLOIT] [-x EXE] [-a PDF] [-f {json,txt}] [-o OUT] [-p PASSWORD]
                 [-d DROPDIR]
                 document

QuickSand Document and PDF maldoc analysis tool.

positional arguments:
  document              document or directory to scan

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         increase output verbosity
  -c, --capture         capture stream content
  -y, --yara            capture yara matched strings
  -t TIMEOUT, --timeout TIMEOUT
                        timeout in seconds
  -e EXPLOIT, --exploit EXPLOIT
                        yara exploit signatures
  -x EXE, --exe EXE     yara executable signatures
  -a PDF, --pdf PDF     yara PDF signatures
  -f {json,txt}, --format {json,txt}
                        output format
  -o OUT, --out OUT     save output to this filename
  -p PASSWORD, --password PASSWORD
                        password to decrypt ole or pdf
  -d DROPDIR, --dropdir DROPDIR
                        save objects to this directory

Process a single file

quicksand document.doc

Process a directory of files

quicksand malware/

Python Module Usage

File from memory

from quicksand.quicksand import quicksand
import pprint

qs = quicksand(data, timeout=18, strings=True)
qs.process()
pprint.pprint(qs.results)

Processing using a filename

from quicksand.quicksand import quicksand

qs2 = quicksand("file.doc")
qs2.process()
qs.results

Process a Directory

from quicksand.quicksand import quicksand
qs = quicksand.readDir("malware")
qs

Returns a dictionary of {filename: qs_results,...}.

Optional initializer values

  • capture: True|False return content of extracted streams

  • debug: True|False print debugging messages to stdout

  • exploityara: Path to exploit yara rules

  • execyara: Path to executable yara rules

  • pdfyara: PDF Exploits yara rules

  • password: Password for encrypted documents/PDFs

  • timeout: Timeout processing: 0 for unlimited.

Scoring

Documents are scored based on the rank value in the associated Yara signature metadata.

Additionally, each signature defines whether the detected item is an exploit, a warning or a risky feature. For more information on how to interpret the results, please see https://scan.tylabs.com/howto.

If you add your own signatures, they don't need to include the extra metadata to function.

zlib issues on MacOS

MacOS users may get zlib issues (PDF FlateDecode etc) due to missing OpenSSL headers since MacOs 10.4.

zlib.error: Error -3 while decompressing data: unknown compression method
zlib.error: Error -3 while decompressing data: incorrect header check

One solution is to install zlib with Brew.sh and reinstall Python 3 using pyenv:

export LDFLAGS="-L/usr/local/opt/zlib/lib"
export CPPFLAGS="-I/usr/local/opt/zlib/include"
pyenv install 3.8.5

Using Quicksand?

Let us know @tylabs

Issues and Project Home

QuickSand GitHub

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

quicksand-2.1.1.tar.gz (39.7 kB view details)

Uploaded Source

Built Distribution

quicksand-2.1.1-py3-none-any.whl (39.1 kB view details)

Uploaded Python 3

File details

Details for the file quicksand-2.1.1.tar.gz.

File metadata

  • Download URL: quicksand-2.1.1.tar.gz
  • Upload date:
  • Size: 39.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for quicksand-2.1.1.tar.gz
Algorithm Hash digest
SHA256 aeed0e72ffdd36fd9a5367eafaae65c1750ec84bd033d8bd656a936e27a48a6b
MD5 ae956beef80edaf923e9559fcb64e3ed
BLAKE2b-256 ee9285c2fff4b3f2cb886688c443a50e88a2fa81b13357331d80fcbd42c6a6e0

See more details on using hashes here.

File details

Details for the file quicksand-2.1.1-py3-none-any.whl.

File metadata

  • Download URL: quicksand-2.1.1-py3-none-any.whl
  • Upload date:
  • Size: 39.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for quicksand-2.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 c92f5c0ec7809144e42219f3e868dde4055e757e96bd749b787b785848291d1e
MD5 150c7474e4b1993183a1fa2e7e999259
BLAKE2b-256 06a13ed27f5097bf83ec995c2a7455514071388b9e8ed750210a570957d0e749

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page