Skip to main content

Extract Indicators From File - Generic v2

This Playbook is part of the Common Playbooks Pack.#

This playbook extracts indicators from a file. Supported file types:

  • CSV
  • PDF
  • TXT
  • HTM, HTML
  • DOC, DOCX
  • PPT
  • PPTX
  • RTF
  • XLS
  • XLSX
  • XML
  • XLSM
  • DOCM
  • PPTM
  • DOTM
  • XLSB
  • DOT
  • PPSM

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Microsoft Office File Enrichment - Oletools

Integrations#

This playbook does not use any integrations.

Scripts#

  • ExtractIndicatorsFromWordFile
  • ConvertFile
  • ExtractIndicatorsFromTextFile
  • ReadPDFFileV2
  • Set
  • SetAndHandleEmpty

Commands#

  • rasterize-pdf
  • image-ocr-extract-text

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileThe file to extract indicators from.FileOptional
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional
DecodeAvailable values: "True" or "False". Default is "False"
When this is set to "True", in case a macro was found within the file (using oletools), it will output all the obfuscated strings with their decoded content (Hex, Base64, StrReverse, Dridex, VBA).		FalseOptional

Playbook Outputs#

PathDescriptionType
Domain.NameThe extracted domains.string
Account.Email.AddressThe extracted email addresses.string
File.MD5The extracted MD5 hash.string
File.SHA1The extracted SHA1 hash.string
File.SHA256The extracted SHA256 hash.string
IP.AddressThe extracted IP addresses.string
File.TextThe text or images extracted from the PDF file.string
File.ProducerThe PDF file producer.string
File.TitleThe title of the PDF file.string
File.xapThe XAP of the PDF file.string
File.AuthorThe author of the file.string
File.dcThe DC of the file.string
File.xapmmThe XAPMM of the file.string
File.ModDateThe mod date of the file.string
File.CreationDateThe creation date of the file.string
File.PagesThe number of pages in the file.string
URL.DataThe list of URLs that were extracted from the file.string
ExtractedURLsFromFilesThe list of URLs that were extracted from the file. This output is a duplicate of the URL.Data output and it enables parent playbooks to identify the URLs generated by this playbook.String
Oletools.Oleid.ole_command_resultIndicator list from the oleid command.string
Oletools.Oleid.file_nameFile name.string
Oletools.Oleid.sha256SHA256 hash.string
Oletools.Oleid.ole_command_result.File_formatIndicator file format.string
Oletools.Oleid.ole_command_result.Container_formatIndicator container format.string
Oletools.Oleid.ole_command_result.EncryptedIndicator encrypted.string
Oletools.Oleid.ole_command_result.VBA_MacrosIndicator VBA macros.string
Oletools.Oleid.ole_command_result.XLM_MacrosIndicator XLM macros.string
Oletools.Oleid.ole_command_result.External_RelationshipsIndicator external relationships.string
Oletools.Oleid.ole_command_result.ObjectPoolIndicator object pool.string
Oletools.Oleid.ole_command_result.Flash_objectsIndicator flash objects.string
Oletools.Oleid.ole_command_result.File_format.ValueIndicator file format value.string
Oletools.Oleid.ole_command_result.File_format.Ole_RiskIndicator file format OLE risk.string
Oletools.Oleid.ole_command_result.File_format.DescriptionIndicator file format description.string
Oletools.Oleid.ole_command_result.Container_format.ValueIndicator container format value.string
Oletools.Oleid.ole_command_result.Container_format.Ole_RiskIndicator container format OLE risk.string
Oletools.Oleid.ole_command_result.Container_format.DescriptionIndicator container format description.string
Oletools.Oleid.ole_command_result.Encrypted.ValueIndicator encrypted value.string
Oletools.Oleid.ole_command_result.Encrypted.Ole_RiskIndicator encrypted OLE risk.string
Oletools.Oleid.ole_command_result.Encrypted.DescriptionIndicator encrypted description.string
Oletools.Oleid.ole_command_result.VBA_Macros.ValueIndicator VBA macros value.string
Oletools.Oleid.ole_command_result.VBA_Macros.Ole_RiskIndicator VBA macros OLE risk.string
Oletools.Oleid.ole_command_result.VBA_Macros.DescriptionIndicator VBA macros description.string
Oletools.Oleid.ole_command_result.XLM_Macros.ValueIndicator XLM macros value.string
Oletools.Oleid.ole_command_result.XLM_Macros.Ole_RiskIndicator XLM macros OLE risk.string
Oletools.Oleid.ole_command_result.XLM_Macros.DescriptionIndicator XLM macros description.string
Oletools.Oleid.ole_command_result.External_Relationships.ValueIndicator XLM macros value.string
Oletools.Oleid.ole_command_result.External_Relationships.Ole_RiskIndicator XLM macros OLE risk.string
Oletools.Oleid.ole_command_result.External_Relationships.DescriptionIndicator XLM macros description.string
Oletools.Oleid.ole_command_result.ObjectPool.ValueIndicator object pool value.string
Oletools.Oleid.ole_command_result.ObjectPool.Ole_RiskIndicator object pool OLE risk.string
Oletools.Oleid.ole_command_result.ObjectPool.DescriptionIndicator object pool description.string
Oletools.Oleid.ole_command_result.Flash_objects.ValueIndicator Flash objects value.string
Oletools.Oleid.ole_command_result.Flash_objects.Ole_RiskIndicator Flash objects OLE risk.string
Oletools.Oleid.ole_command_result.Flash_objects.DescriptionIndicator Flash objects description.string
Oletools.Oleobj.ole_command_result.hyperlinksList of hyperlinks.string
Oletools.Oleobj.file_nameFile name.string
Oletools.Oleobj.sha256SHA256 hash.string
Oletools.Olevba.file_nameFile name.string
Oletools.Olevba.sha256SHA256 hash.string
Oletools.Olevba.ole_command_result.macro_analyzeMacro analyze.string
Oletools.Olevba.ole_command_result.macro_src_codeMacro source code.string
Oletools.Olevba.ole_command_result.macro_listMacro list.string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number

Playbook Image#

Extract Indicators From File - Generic v2

Edit this page
Report an Issue