finding observable in attachment xlsx, pdf, docx

[minhanh1234]

Hi

the IMAP2THEHIVE doesn't seem to be scrapping observable in the attachments.

I am currently pulling email from gmail.com account (IMAP) every 1 minute.
It is able to find the attachment and then Zip, Encrypt and attach the attachment file to theHive Case. but it is unable to find any observable in the attachment (IP, URL or domain)

ips.pdf
ips.xlsx
ips.docx

root@IMAP2THEHIVE:/opt/imap2thehive# python3 imap2thehive.py --config imap2thehive.conf
[WARNING]: Both case template and tasks are defined. Template (EMAIL2HIVE) will be used.
[INFO]: Processing testc@imap.gmail.com:993/inbox
[INFO]: Connected to IMAP server.
[INFO]: 1 unread messages to process
[INFO]: From: test email testc@gmail.com Subject: excel
None
multipart/mixed
None
multipart/alternative
ips.xlsx
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
[INFO]: Found attachment: ips.xlsx (application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
[INFO]: Removed duplicate observables: 0 -> 0
[DEBUG]: Searching for \S*(ALERT|VTMIS)\S* in 'excel'
[INFO]: Created case 139
[INFO]: Added observable /tmp/ips_crhgr07f.xlsx to case ID AWtdvWk1X3o-oXPiQ5QJ
[INFO]: Message 25 successfully processed and flagged as read
root@IMAP2THEHIVE:/opt/imap2thehive# nano imap2thehive.conf

imap2thehive.conf

files: application/pdf,messages/rfc822,application/octet-stream,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,application/vnd.openxmlformats-office$

anyone have any tips?
thanks

[viszsec]

i have same issue as yours. the mime perhaps working fine. it just that thehive is unable to parse it. May need to do some tweaking stuff.