Object types

class mwdblib.MWDBObject(api: mwdblib.api.api.APIClient, data: Dict[str, Any])[source]

Represents abstract, generic MWDB object.

Should never be instantiated directly.

If you really need to get synthetic instance - use internal create() static method.

add_attribute(key: str, value: Any) → None[source]

Adds attribute.

Key can’t be ‘karton’. If you want to assign an analysis, use assign_analysis() instead or use add_metakey() method.

New in version 4.0.0.

Parameters

key (str) – Attribute key
value (Any (JSON-like object)) – Attribute value

add_child(child: Union[mwdblib.object.MWDBObject, str]) → None[source]

Adds reference to child with current object as parent

Parameters: child (MWDBObject or str) – Object or object identifier (sha256)

add_comment(comment: str) → None[source]

Adds comment

Parameters: comment (str) – Comment string

add_metakey(key: str, value: str) → None[source]

Adds metakey attribute (string only)

Deprecated since version 4.0.0: Use add_attribute instead

Parameters

key (str) – Attribute key
value (str) – Attribute value

add_tag(tag: str) → None[source]

Tags object using specified tag

Parameters: tag (str) – Tag string

property analyses: List[MWDBKartonAnalysis]

Returns list of Karton analyses related with this object

Requires MWDB Core >= 2.3.0.

New in version 4.0.0.

assign_analysis(analysis_id: str) → MWDBKartonAnalysis[source]

Assigns object to existing Karton analysis

Requires MWDB Core >= 2.3.0.

Parameters: analysis_id – Karton analysis UUID

New in version 4.0.0.

property attributes: Dict[str, List[Any]]

Returns dict object with attributes.

Supports JSON-like values in MWDB Core >= 2.6.0.

New in version 4.0.0.

Returns: Dict object containing attributes

property children: List[mwdblib.object.MWDBObject]

Returns list of child objects

Returns: List of child objects

property comments: List[MWDBComment]

Returns list of comments

Returns: List of comment objects

Example - print all comments of last object commented as “malware”:

comments = next(mwdb.search_files('comment:"*malware*"')).comments
for comment in comments:
    print("{} {}".format(comment.author, comment.comment))

property content: bytes: Returns stringified contents of object

New in version 3.0.0: Added MWDBObject.content property

static create(api: mwdblib.api.api.APIClient, data: Dict[str, Any]) → mwdblib.object.MWDBObject[source]: Creates specialized MWDBObject subclass instance based on specified data

flush() → None[source]: Flushes local object state in case of pending updates. All object-specific properties will be lazy-loaded using API

get_attributes_detailed() → List[Dict[str, Any]][source]

Returns list with attributes including identifiers needed to remove specific attribute.

Requires MWDB Core >= 2.6.0.

New in version 4.1.0.

Returns: List containing detailed attributes

property id: str: Object identifier (sha256)

property metakeys: Dict[str, List[str]]

Returns dict object with metakeys.

JSON-like values are coerced to strings for backwards compatibility.

Deprecated since version 4.0.0: Use attributes instead

Returns: Dict object containing metakey attributes

property object_type: str: Object type (‘file’, ‘static_config’ or ‘text_blob’)

property parents: List[mwdblib.object.MWDBObject]

Returns list of parent objects

Returns: List of parent objects

reanalyze(arguments: Optional[Dict[str, Any]] = None) → MWDBKartonAnalysis[source]

Submits new Karton analysis for given object.

Requires MWDB Core >= 2.3.0.

Parameters

arguments –

Optional, additional arguments for analysis. Reserved for future functionality.

New in version 4.0.0.

remove() → None[source]

Remove specific object from mwdb

The object should be treated as invalidated after using this method .

remove_attribute(attribute_id: int) → None[source]

Remove specific attribute from object

See also

IDs of attributes can be found here: get_attributes_detailed()

Parameters: attribute_id (int) – Attribute id

remove_comment(comment_id: int) → None[source]

Remove specific comment from object

Parameters: comment_id (int) – Comment id

remove_tag(tag: str) → None[source]

Untags object using specified tag

Parameters: tag (str) – Tag string

property sha256: str: Object identifier (sha256)

share_with(group: str) → None[source]

Share object with specified group

New in version 3.0.0: Added MWDBObject.share_with() method

Parameters: group (str) – Group name

property shares: List[MWDBShare]

Returns list of shares

Returns: List of share objects

property tags: List[str]

Returns list of tags

Returns: List of tags

property upload_time: datetime.datetime

Returns timestamp of first object upload

Returns: datetime object with object upload timestamp

class mwdblib.MWDBFile(api: mwdblib.api.api.APIClient, data: MWDBElementData)[source]

property config: Optional[MWDBConfig]

Returns latest config related with this object

Return type: MWDBConfig or None
Returns: Latest configuration if found

property content: bytes: Returns file contents, calling MWDBFile.download() if contents were not loaded yet

download() → bytes[source]

Downloads file contents

Returns: File contents
Return type: bytes

Example - download first file with size less than 1000 bytes and VBS extension

dropper = next(
    mwdb.search_files('file.size:[0 TO 1000] AND file.name:"*.vbs"')
)

with open(dropper.file_name, "wb") as f:
    f.write(dropper.download())

print("Downloaded {}".format(dropper.file_name))

property file_name: str: Sample original name

property file_size: int: Sample size in bytes

property file_type: str: Sample type

property name: str: Alias for file_name property

property size: int: Alias for file_size property

property type: str: Alias for file_type property

class mwdblib.MWDBConfig(api: mwdblib.api.api.APIClient, data: Dict[str, Any])[source]

property cfg: Dict[str, Any]: Raw dict object with configuration

See also

config_dict

property config: Dict[str, Any]: dict object with configuration. In-blob keys are mapped to MWDBBlob objects.

property config_dict: Dict[str, Any]: Raw dict object with configuration (in-blob keys are not mapped to MWDBBlob objects)

property content: bytes

Returns raw dict object as JSON bytes

Return type: bytes

property family: str: Configuration family

property type: str: Configuration type (‘static’ or ‘dynamic’)

class mwdblib.MWDBBlob(api: mwdblib.api.api.APIClient, data: Dict[str, Any])[source]

property blob_name: str: Blob name

property blob_size: int: Blob size in bytes

property blob_type: str: Blob semantic type

property config: Optional[MWDBConfig]

Returns latest config related with this object

Returns: Latest configuration if found

property content: bytes: Contains blob content

Changed in version 3.0.0: Returned type is guaranteed to be utf8-encoded bytes

property last_seen: datetime.datetime

Returns: datetime object when blob was last seen in MWDB

property name: str: Alias for blob_name property

property size: int: Alias for blob_size property

property type: str: Alias for blob_type property