# Multi-Tool Analysis Recipes
# These are pipe chains and multi-step commands that combine tools
# Each recipe is cross-referenced to all tools it uses

recipes:

  # ============================================================
  # OFFICE DOCUMENT ANALYSIS
  # ============================================================

  - id: extract-base64-ps-from-vba
    name: "Extract Base64 PowerShell from Office Macro"
    task: "Get encoded PowerShell payload hidden in a VBA UserForm stream"
    tools: [oledump-py, base64dump-py]
    commands:
      - "# List streams — find macro (M) and data streams"
      - "oledump.py <document>"
      - "# Extract VBA source to understand what the macro does"
      - "oledump.py <document> -s <macro_stream> -v"
      - "# Scan data stream for Base64 strings"
      - "oledump.py <document> -s <data_stream> -d | base64dump.py -n 10"
      - "# Decode the longest Base64 hit to file"
      - "oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1"
    lab: "3.4"

  - id: vba-number-string-decode
    name: "Decode VBA Number Arrays to Strings"
    task: "Convert VBA macros that use Chr() number sequences into readable text"
    tools: [oledump-py, numbers-to-string-py]
    commands:
      - "# Extract VBA and convert number sequences to text"
      - "oledump.py <document> -s <stream> -v | numbers-to-string.py -j"
      - "# Same but with line-break formatting for readability"
      - "oledump.py <document> -s <stream> -v | numbers-to-string.py -j | sed 's/;/;\\n/g'"
    lab: "3.3"

  - id: multi-stage-base64-gzip
    name: "Decode Base64 + Gzip Payload"
    task: "Handle double-encoded payloads: Base64 wrapping gzip-compressed content"
    tools: [base64dump-py, gunzip]
    commands:
      - "# Find Base64 strings in the script"
      - "base64dump.py <script.ps1> -n 10"
      - "# Decode Base64 and decompress gzip in one chain"
      - "base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1"
    lab: "3.4"

  - id: base64-xor-shellcode
    name: "Decode Base64 + XOR Shellcode"
    task: "Extract shellcode encoded as Base64 with an XOR key"
    tools: [base64dump-py, translate-py]
    commands:
      - "# Find Base64 strings"
      - "base64dump.py <script.ps1> -n 10"
      - "# Decode Base64, then XOR with key"
      - "base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin"
    lab: "3.4"

  - id: office-full-decode-chain
    name: "Full Office Macro Decode Chain"
    task: "Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode"
    tools: [oledump-py, base64dump-py, gunzip, translate-py, scdbgc]
    commands:
      - "# Step 1: List streams and extract VBA"
      - "oledump.py <document>"
      - "oledump.py <document> -s <macro_stream> -v"
      - "# Step 2: Extract Base64 from data stream"
      - "oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1"
      - "# Step 3: Decode second Base64 layer + decompress"
      - "base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1"
      - "# Step 4: XOR decode the shellcode"
      - "base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin"
      - "# Step 5: Emulate the shellcode"
      - "scdbgc /f shellcode.bin /s -1"
    lab: "3.4"

  - id: password-protected-office
    name: "Decrypt Password-Protected Office Document"
    task: "Remove password protection before analysis"
    tools: [msoffcrypto-tool]
    commands:
      - "# Common malware passwords: infected, malware, password, 123456"
      - "msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>"

  - id: excel-xlm-macros
    name: "Deobfuscate Excel 4.0 (XLM) Macros"
    task: "Extract and decode legacy Excel macros hidden in sheets"
    tools: [xlmmacrodeobfuscator]
    commands:
      - "# Deobfuscate XLM macros"
      - "xlmdeobfuscator --file <spreadsheet.xlsm>"

  - id: vba-pcode-decompile
    name: "Recover VBA from p-code (source removed)"
    task: "Decompile VBA when source code has been stripped, only p-code remains"
    tools: [pcode2code, pcodedmp]
    commands:
      - "# Decompile p-code back to VBA source"
      - "pcode2code <document.docm>"
      - "# Or disassemble p-code to assembly"
      - "pcodedmp <document.docm>"

  # ============================================================
  # RTF DOCUMENT ANALYSIS
  # ============================================================

  - id: rtf-shellcode-extraction
    name: "Extract Shellcode from RTF Document"
    task: "Find and extract embedded shellcode from a malicious RTF file"
    tools: [rtfdump-py, xorsearch, scdbgc]
    commands:
      - "# Scan RTF structure — look for groups with lots of hex data"
      - "rtfdump.py <document.rtf>"
      - "# Extract the hex-heavy group as binary"
      - "rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin"
      - "# Scan for shellcode patterns (even XOR-encoded)"
      - "XORSearch -W -d 3 extracted.bin"
      - "# Emulate shellcode at found offset"
      - "scdbgc /f extracted.bin /foff <offset> /s -1"
    lab: "3.5"

  # ============================================================
  # PDF ANALYSIS
  # ============================================================

  - id: pdf-object-extraction
    name: "Extract Embedded Object from PDF"
    task: "Pull out an embedded image, JavaScript, or file from a PDF object"
    tools: [pdfid-py, pdf-parser-py, feh]
    commands:
      - "# Scan for suspicious keywords"
      - "pdfid.py <document.pdf>"
      - "# Find objects containing the keyword"
      - "pdf-parser.py <document.pdf> -s /URI"
      - "# Extract all values for that keyword"
      - "pdf-parser.py <document.pdf> -k /URI"
      - "# Dump a specific object to file"
      - "pdf-parser.py <document.pdf> -o <obj_id> -d extracted_object"
      - "# View extracted image"
      - "feh extracted_object &"
    lab: "3.1"

  - id: pdf-javascript-extraction
    name: "Extract JavaScript from PDF"
    task: "Find and extract embedded JavaScript from a PDF file"
    tools: [pdfid-py, pdf-parser-py, peepdf]
    commands:
      - "# Check if PDF contains JavaScript"
      - "pdfid.py <document.pdf>"
      - "# Find objects with JavaScript"
      - "pdf-parser.py <document.pdf> -s /JavaScript"
      - "# Interactive analysis with peepdf"
      - "peepdf -i <document.pdf>"

  # ============================================================
  # JAVASCRIPT DEOBFUSCATION
  # ============================================================

  - id: js-deobfuscation-spidermonkey
    name: "Deobfuscate JavaScript with SpiderMonkey"
    task: "Execute obfuscated JS safely using SpiderMonkey with API simulation"
    tools: [js-beautify, spidermonkey]
    commands:
      - "# Beautify compressed JavaScript"
      - "js-beautify <malicious.js> > readable.js"
      - "# Execute with objects.js to simulate browser/WScript APIs"
      - "js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js"
      - "# If script expects location.href, edit objects.js first:"
      - "cp /usr/share/remnux/objects.js ."
      - "# Edit objects.js to set: location = { href: 'http://expected-url' }"
      - "js -f objects.js -f <malicious.js> > decoded.js"
    lab: "3.6, 3.7"

  - id: js-null-byte-cleanup
    name: "Clean Null Bytes from UTF-16 JavaScript"
    task: "Remove null byte padding from UTF-16 encoded JavaScript before analysis"
    tools: [spidermonkey]
    commands:
      - "# Check for null bytes (look for 00 in hex)"
      - "xxd <script.js> | head -2"
      - "# Remove null bytes"
      - "cat <script.js> | tr -d '\\00' > clean.js"
      - "# Then deobfuscate"
      - "js -f /usr/share/remnux/objects.js -f clean.js > decoded.js"
      - "# Beautify the result"
      - "js-beautify decoded.js > final.js"
    lab: "4.5"

  # ============================================================
  # SHELLCODE ANALYSIS
  # ============================================================

  - id: shellcode-emulate-with-offset
    name: "Emulate Shellcode at Specific Offset"
    task: "Run shellcode that starts at an offset within a larger binary"
    tools: [scdbgc]
    commands:
      - "# Emulate from file start"
      - "scdbgc /f <shellcode.bin> /s -1"
      - "# Emulate from specific offset (hex)"
      - "scdbgc /f <shellcode.bin> /foff <hex_offset> /s -1"
      - "# Emulate with a file handle pre-opened (for exploits)"
      - "scdbgc /f <shellcode.bin> /foff <offset> /fopen <carrier.doc> /s -1"
    lab: "3.5, 4.6"

  - id: cobalt-strike-beacon-parse
    name: "Parse Cobalt Strike Beacon Configuration"
    task: "Extract C2 config from a Cobalt Strike beacon or shellcode"
    tools: [1768-py, yara]
    commands:
      - "# Scan with YARA for CS signatures"
      - "yara-rules <sample>"
      - "# Extract beacon configuration"
      - "1768.py <sample_or_shellcode.bin>"
    lab: "3.4"

  - id: shellcode-to-exe
    name: "Convert Shellcode to Executable"
    task: "Wrap raw shellcode in a PE for analysis in disassemblers"
    tools: [shcode2exe]
    commands:
      - "# Convert 32-bit shellcode to EXE"
      - "shcode2exe <shellcode.bin> <output.exe>"

  # ============================================================
  # STRING DEOBFUSCATION
  # ============================================================

  - id: xor-key-brute-force
    name: "Brute-Force XOR Key"
    task: "Find the XOR key used to encode strings in a binary"
    tools: [brxor-py, bbcrack, xorsearch, xortool]
    commands:
      - "# Quick check for XOR-encoded URLs/PE headers"
      - "XORSearch <file> http:"
      - "# Brute-force single-byte XOR keys"
      - "brxor.py <file>"
      - "# Try XOR, ROL, ADD combinations"
      - "bbcrack -l 1 <file>"
      - "# Guess multi-byte XOR key length and value"
      - "xortool <file>"
      - "# Decode with known key"
      - "xortool-xor -s '<key>' -i <encoded> -o <decoded>"
    lab: "5.2"

  - id: stack-string-extraction
    name: "Extract Stack-Built Strings"
    task: "Decode strings assembled byte-by-byte on the stack"
    tools: [strdeob-pl, floss]
    commands:
      - "# Automatic stack string recovery"
      - "strdeob.pl <sample>"
      - "# FLOSS automatic deobfuscation (static + stack + decoded)"
      - "floss <sample>"
      - "# FLOSS skip static strings, only show decoded"
      - "floss --no-static -- <sample>"
    lab: "5.2"

  - id: cyberchef-xor-decode
    name: "Visual XOR/Base64 Decode with CyberChef"
    task: "Use CyberChef's recipe builder for multi-step decoding"
    tools: [cyberchef]
    commands:
      - "# Launch CyberChef"
      - "cyberchef"
      - "# Common recipe: From Hex → XOR (key) → extract strings"
      - "# Common recipe: From Base64 → Decode text UTF-16LE"

  # ============================================================
  # MALWARE EMULATION & CAPABILITY ANALYSIS
  # ============================================================

  - id: speakeasy-emulation-with-json
    name: "Emulate Malware and Extract API Calls"
    task: "Emulate a Windows binary on Linux and analyze its API usage"
    tools: [speakeasy, jq]
    commands:
      - "# Emulate and capture both JSON report and text log"
      - "speakeasy -t <sample> -o report.json 2> report.txt"
      - "# Extract all API names called"
      - "jq '.entry_points[].apis[].api_name' report.json"
      - "# Extract unique API names"
      - "jq -r '.entry_points[].apis[].api_name' report.json | sort -u"
    lab: "1.4"

  - id: capa-capability-filter
    name: "Filter Capabilities by Technique"
    task: "Find specific capabilities in capa output"
    tools: [capa]
    commands:
      - "# Full capabilities report"
      - "capa <sample>"
      - "# Verbose with rule matches"
      - "capa -vv <sample>"
      - "# Filter for specific technique"
      - "capa -vv <sample> | grep -A7 '<technique_name>'"
      - "# Find injection-related capabilities"
      - "capa -vv <sample> | grep -A7 'inject\\|hollow\\|suspend'"
    lab: "1.4, 5.4"

  # ============================================================
  # NETWORK ANALYSIS
  # ============================================================

  - id: pcap-file-carving
    name: "Extract Files from Network Capture"
    task: "Carve downloaded payloads and exfiltrated data from PCAP"
    tools: [tcpxtract, tcpflow, networkminer]
    commands:
      - "# Carve files using signatures"
      - "tcpxtract -f <capture.pcap> -o carved/"
      - "# Extract individual TCP streams"
      - "tcpflow -r <capture.pcap> -o streams/"
      - "# Or use NetworkMiner for automated extraction"
      - "NetworkMiner --pcap <capture.pcap>"

  - id: dns-interception-setup
    name: "Set Up DNS + HTTP Interception"
    task: "Redirect all malware DNS queries and serve fake HTTP responses"
    tools: [fakedns, httpd, inetsim]
    commands:
      - "# Option A: Simple DNS + HTTP"
      - "fakedns &"
      - "httpd &"
      - "# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP)"
      - "inetsim"
      - "# Verify DNS is working"
      - "nslookup anything.com"
      - "# Redirect hardcoded IPs too"
      - "iptables -t nat -A PREROUTING -i eth0 -j REDIRECT"

  # ============================================================
  # .NET ANALYSIS
  # ============================================================

  - id: dotnet-decompile-cli
    name: "Decompile .NET on Command Line"
    task: "Decompile a .NET assembly to C# source on REMnux"
    tools: [ilspycmd, de4dot]
    commands:
      - "# Decompile to C# source"
      - "ilspycmd <assembly.exe> > source.cs"
      - "# Search for suspicious patterns"
      - "grep -n 'Assembly.Load\\|WebClient\\|Process.Start' source.cs"
      - "# If obfuscated, deobfuscate first"
      - "de4dot <assembly.exe>"
      - "ilspycmd <assembly-cleaned.exe> > source_clean.cs"
    lab: "4.8"

  # ============================================================
  # MEMORY FORENSICS
  # ============================================================

  - id: volatility-quick-triage
    name: "Quick Memory Dump Triage"
    task: "Fast initial assessment of a memory dump"
    tools: [volatility3]
    commands:
      - "# Identify OS"
      - "vol3 -f <dump> windows.info"
      - "# Process tree (spot anomalies)"
      - "vol3 -f <dump> windows.pstree"
      - "# Network connections"
      - "vol3 -f <dump> windows.netscan"
      - "# Injected code detection"
      - "vol3 -f <dump> windows.malfind"

  # ============================================================
  # ANDROID ANALYSIS
  # ============================================================

  - id: apk-quick-triage
    name: "Quick APK Triage"
    task: "Fast initial assessment of a suspicious Android app"
    tools: [apkid, apktool, jadx]
    commands:
      - "# Check for packers/obfuscators"
      - "apkid <app.apk>"
      - "# Decompile to smali + resources"
      - "apktool d <app.apk> -o output/"
      - "# Check permissions"
      - "grep 'uses-permission' output/AndroidManifest.xml"
      - "# Decompile to Java source"
      - "jadx <app.apk> -d src/"

  # ============================================================
  # EMAIL ANALYSIS
  # ============================================================

  - id: email-attachment-extraction
    name: "Extract and Triage Email Attachments"
    task: "Pull attachments from an email and identify their types"
    tools: [emldump-py, file, sha256sum]
    commands:
      - "# List email structure"
      - "emldump.py <email.eml>"
      - "# Extract all attachments"
      - "emldump.py <email.eml> -d"
      - "# Identify file types"
      - "file attachment_*"
      - "# Compute hashes for lookup"
      - "sha256sum attachment_*"