DIARIO Anonymous Upload







  • You can download the anonymous client for various platforms:
    • Windows
    • Linux
    • Mac OS
  • Implement your own client.

Client Implementation


POST/api/${documentType}/anonymous-upload


  • hash
  • file: A zip file as multipart file
  • 401
  • 409
  • 501

{
   "hash": "2dd5154eb199fd7f08770fe0660ee8cf03a174576fab07a17bde5db30b8311ae"
}

  1. How to generate the zip file?
    The file content will depend on the type of document. In all cases, the zip file will include a JSON file containing the anonymous features extracted from the document that DIARIO needs for its predictions. The name of the JSON file must be the sha-256 hash of the analyzed file (already sent in the document_hash param).
    For office documents based in XML formats (docx, xlsx, docm, doctm), the zip must also contain the followings two files:
    • core.xml: Its location within the document will be: doctype/docProps/core.xml, where the doctype will be {word/xl} dependent on whether it is a Word or Excel document respectively.
    • vbaProject.bin: Its location within the document will be: doctype/vbaProject.bin, where the doctype will be {word/xl} dependent on whether it is a Word or Excel document respectively.

  2. How to generate the JSON file with the anonymous document information?
    The JSON file included in the ZIP must respect one of the following two structures, depending on the type of document analyzed:
    • PDF:
    • For PDF documents, the JSON object must contain the output from both tools, peepdf and o-checker, in order to analyze the file, the output for these tools must compose of respectively, "peepdf" (from getStats() function) and "o-checker" root elements at the JSON string. From peepdf tool, the JSON must also include the output of the function getBasicMetadata(0).get("producer") as the "producer" root element and “javascript_code” as the result of the getJavascriptCode() (b64 enconded). Finally, the JSON must contain root elements "document_hash" and "document_type".

      {
         "peepdf":{
            "Binary":"True",
            "Errors":[
      
            ],
            "SHA1":"ea59b3cf7cadcd722e96245a98ac116de9558f3c",
            "Updates":"1",
            "Versions":[
               {
                  "Info":"14",
                  "Xref Streams":[
                     "1",
                     [
                        39
                     ]
                  ],
                  "Errors":null,
                  "Compressed Objects":null,
                  "Object Streams":null,
                  "Vulns":null,
                  "Actions":null,
                  "Catalog":"16",
                  "Objects":[
                     "2",
                     [
                        15,
                        39
                     ]
                  ],
                  "Streams":[
                     "1",
                     [
                        39
                     ]
                  ],
                  "Elements":null,
                  "URLs":null,
                  "Decoding Errors":null,
                  "Encoded":[
                     "1",
                     [
                        39
                     ]
                  ],
                  "Objects with JS code":null,
                  "Events":null
               },
               {
                  "Info":"14",
                  "Xref Streams":[
                     "1",
                     [
                        10
                     ]
                  ],
                  "Errors":[
                     "1",
                     [
                        38
                     ]
                  ],
                  "Compressed Objects":[
                     "23",
                     [
                        40,
                        41,
                        42,
                        43,
                        44
                     ]
                  ],
                  "Object Streams":[
                     "3",
                     [
                        18,
                        5,
                        6
                     ]
                  ],
                  "Vulns":null,
                  "Actions":null,
                  "Catalog":"16",
                  "Objects":[
                     "4",
                     [
                        1,
                        2,
                        3,
                        4
                     ]
                  ],
                  "Streams":[
                     "3",
                     [
                        59,
                        18,
                        19
                     ]
                  ],
                  "Elements":null,
                  "URLs":null,
                  "Decoding Errors":[
                     "1",
                     [
                        38
                     ]
                  ],
                  "Encoded":[
                     "2",
                     [
                        59,
                        18
                     ]
                  ],
                  "Objects with JS code":null,
                  "Events":null
               }
            ],
            "Encrypted":"False",
            "Objects":"59",
            "Comments":"0",
            "Linearized":"True",
            "Detection":[
      
            ],
            "MD5":"90b70723497d6477c5556207e0d63637",
            "Version":"1.4",
            "Streams":"31",
            "Detection report":"",
            "File":"0cb2323760191d90355fb673b53141e8061233aaf1a6a2e514402eae9ce60219",
            "SHA256":"0cb2323760191d90355fb673b53141e8061233aaf1a6a2e514402eae9ce60219",
            "Encryption Algorithms":[],
            "Size":"440295"
         },
         "ochecker":{
            "suspicious":[],
            "malicious":[],
            "finished_pdf":true
         },
         "producer":"MS Office 2013",
         "document_hash":"0cb2323760191d90355fb673b53141e8061233aaf1a6a2e514402eae9ce60219",
         "document_type":"pdf",
         "javascript_code": [
         "ZnVuY3Rpb24gcHJpbnRIZWxsb1dvcmxkKCl7Y29uc29sZS5sb2coIkhFTExPIFdPUkxEIik7fQpwcmludEhlbGxvV29ybGQoKTs=",
         "dmFyIGhlbGxvV29ybGQgPSAiSEVMTE8gV09STEQiOw=="
         ]
      }
    • OFFICE:

    • The JSON string, in addition to the root elements ‘document hash’ and ‘document type’ (which are common to all documents), should contain:
          vbaparser: The output as JSON from VBA_PARSER function of olevba tool.
          macros: For each macro present in the document, include: name and code_b64 (macro code Base64 encoded)
          macros_size: The sum of all of the macros size (in bytes)
          file_extension: The file extension
          file_mimetype: In principle, this entry should contain the same value of 'document_type'. However, this value must be generated based on the following criteria: if the file has an OLE file structure and the output of olef.get_metadata().creating_application is 'Microsoft Excel', the value of this entry will be 'xls'. If the creating application is 'Microsoft Word' the value will be 'doc'. On the other hand, if the file structure is a .ZIP (XML based formats) or if the directory contains word/vbaProject.bin file, the entry value will be 'docx' and 'xlsx' with 'xl/vbaProject.bin'.

      Only for documents which are not based in XML formats (doc and xls), the JSON string must contain the entry "ole_document_info", composed by:
          "creating_application"Can be extracted by using: olef.get_metadata().creating_application.
          "create_time"Can be extracted by using: olef.get_metadata().create_time.
          "last_saved_time"Can be extracted by using: olef.get_metadata().last_saved_time.
          "VBA_folder_ctime"Can be extracted by using: olef.getctime(vbaFolder), where vbaFolder should be "_VBA_PROJECT_CUR/VBA" for Excel documents and "Macros/VBA" for Word.
          "Can be extracted by using: olef.getmtime(vbaFolder), where vbaFolder should be '_VBA_PROJECT_CUR/VBA' for Excel documents and "Macros/VBA" for Word.

      {
        "document_hash": "22120501471326e7c46f322354d8d99935e6348bf253496832c88b990cf34619",
        "file_mimetype": "docx",
        "file_extension": "danger",
        "vbaparser": {
          "nb_base64strings": 46,
          "vba_parser_analysis_results": [
            "AutoClose",
            "Run",
            "CreateObject",
            "Base64 Strings",
            "VBA obfuscated Strings",
            "uBgNCioRpjuAMOkFBJnJHLKFgTOdVMbgFrKEZozJN",
            "KXukYOCubxGbZLEUbonAYxHSUwcYwUVvzkZTNXKdwVvJPATiOGPGpzpRpFZoncrHgEQ",
            "KYEPzOUgWfQRKcBIwjNBuv",
            "qUTyrTRgqKSFQZpVduM"
          ],
          "nb_dridexstrings": 0,
          "nb_vbastrings": 47,
          "nb_macros": 1,
          "autoexec_presence": false,
          "nb_hexstrings": 0
        },
        "macros_size": 16094,
        "macros": [
          {
            "code_b64": 
            "QXR0cmlidXRlIFZCX05hbWUgPSAiVGhpc0RvY3VtZW50Ig0KQXR0cmlidXRlIFZCX0Jhc2UgPSAi
            MU5vcm1hbC5UaGlzRG9jdW1lbnQiDQpBdHRyaWJ1dGUgVkJfR2xvYmFsTmFtZVNwYWNlID0gRmFs
            c2UNCkF0dHJpYnV0ZSBWQl9DcmVhdGFibGUgPSBGYWxzZQ0KQXR0cmlidXRlIFZCX1ByZWRlY2xh
            cmVkSWQgPSBUcnVlDQpBdHRyaWJ1dGUgVkJfRXhwb3NlZCA9IFRydWUNCkF0dHJpYnV0ZSBWQl9U
            ZW1wbGF0ZURlcml2ZWQgPSBUcnVlDQpBdHRyaWJ1dGUgVkJfQ3VzdG9taXphYmxlID0gVHJ1ZQ0K",
            "name": "ThisDocument.cls",
          }
        ],
        "ole_document_info": {
            "create_time": "",
            "last_saved_time": "",
            "creating_application": "",
            "VBA_folder_ctime": "",
            "VBA_folder_mtime": ""
        },
      }