finding observable in attachment xlsx, pdf, docx

[minhanh1234]

Hi

the IMAP2THEHIVE doesn't seem to be scrapping observable in the attachments.

I am currently pulling email from gmail.com account (IMAP) every 1 minute. It is able to find the attachment and then Zip, Encrypt and attach the attachment file to theHive Case. but it is unable to find any observable in the attachment (IP, URL or domain)

ips.pdf ips.xlsx ips.docx

root@IMAP2THEHIVE:/opt/imap2thehive# python3 imap2thehive.py --config imap2thehive.conf [WARNING]: Both case template and tasks are defined. Template (EMAIL2HIVE) will be used. [INFO]: Processing [email protected]:993/inbox [INFO]: Connected to IMAP server. [INFO]: 1 unread messages to process [INFO]: From: test email [email protected] Subject: excel None multipart/mixed None multipart/alternative ips.xlsx application/vnd.openxmlformats-officedocument.spreadsheetml.sheet [INFO]: Found attachment: ips.xlsx (application/vnd.openxmlformats-officedocument.spreadsheetml.sheet) [INFO]: Removed duplicate observables: 0 -> 0 [DEBUG]: Searching for \S*(ALERT|VTMIS)\S* in 'excel' [INFO]: Created case 139 [INFO]: Added observable /tmp/ips_crhgr07f.xlsx to case ID AWtdvWk1X3o-oXPiQ5QJ [INFO]: Message 25 successfully processed and flagged as read root@IMAP2THEHIVE:/opt/imap2thehive# nano imap2thehive.conf

imap2thehive.conf

files: application/pdf,messages/rfc822,application/octet-stream,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-office$

anyone have any tips? thanks

[viszsec]

i have same issue as yours. the mime perhaps working fine. it just that thehive is unable to parse it. May need to do some tweaking stuff.