Allow analyzing file with EmergingThreats_MalwareInfo

analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json

@@ -5,7 +5,7 @@
   "url": "https://github.com/dadokkio/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Retrieve ET details and info related to a malware hash.",
-  "dataTypeList": ["hash"],
+  "dataTypeList": ["file", "hash"],
   "command": "EmergingThreats/emergingthreats_analyzer.py",
   "baseConfig": "EmergingThreats",
   "configurationItems": [

analyzers/EmergingThreats/emergingthreats_analyzer.py

@@ -3,6 +3,7 @@
 
 from cortexutils.analyzer import Analyzer
 
+import hashlib
 import requests
 import time
 
@@ -59,7 +60,9 @@ class EmergingThreatsAnalyzer(Analyzer):
         Analyzer.run(self)
         info = {}
         try:
-            object_name = self.get_data()
+            if self.data_type != 'file':
+                object_name = self.get_data()
+
             if self.data_type in ['domain', 'fqdn']:
                 url = "https://api.emergingthreats.net/v1/domains/"
                 features = {'reputation', 'urls', 'samples', 'ips', 'events', 'nameservers', 'whois', 'geoloc'}
@@ -71,6 +74,18 @@ class EmergingThreatsAnalyzer(Analyzer):
             elif self.data_type == 'hash':
                 url = "https://api.emergingthreats.net/v1/samples/"
                 features = {'', 'connections', 'dns', 'events'}
+
+            elif self.data_type == 'file':
+                url = "https://api.emergingthreats.net/v1/samples/"
+                features = {'', 'connections', 'dns', 'events'}
+                hashes = self.get_param('attachment.hashes', None)
+                if hashes is None:
+                    filepath = self.get_param('file', None, 'File is missing')
+                    object_name = hashlib.md5(open(filepath, 'r').read()).hexdigest()
+                else:
+                    # find MD5 hash
+                    object_name = next(h for h in hashes if len(h) == 32)
+
             else:
                 self.error('Invalid data type !')