IBM QRadar SOAR

 View Only

 Calculate hashes of attachments that come inside .EML files

Johan Sebastian Lemus Pedraza's profile image
Johan Sebastian Lemus Pedraza posted Wed March 12, 2025 09:16 AM
Hello Team
I am checking how I can calculate the MD5 or SHA256 hash of attachments that come inside an .EML file.
A security control sends such files with suspicious mails to a SOAR mailbox, from there the incident is created and the .EML file remains in the “Attachments” section of the incident.
 
The idea is to be able to hash the attachments inside the .EML file (such as pdf, zip, docs and so on) and then validate them in X-Force or Virustotal.
 
I have been trying with the Email Parse function of Utility Functions for SOAR, but it only generates a very long base64 string of each attachment, and when calculating the hash of that string it is different from the actual attachment.
 
Do you know how I could achieve this? Thank you very much for your time and help
Johan Sebastian Lemus Pedraza's profile image
Johan Sebastian Lemus Pedraza posted Wed March 12, 2025 10:55 AM
I found the solution.
You must use the Email Parse function of Utility Functions for SOAR with the following entries:
inputs.incident_id = incident.id
inputs.attachment_id = attachment.id
inputs.utilities_parse_email_attachments = True
And the post process code is as follows:
import base64
import hashlib

results = playbook.functions.results.output_mail.get("content", {}).get("attachments", {})

for attachment in results:
    # Base64 string of the attachment extracted from the email
    base64_string = attachment.get("payload", "")
    # Decode base64 string to binary data
    binary_data = base64.b64decode(base64_string)
    
    # Calculate MD5 hash
    md5_hash = hashlib.md5(binary_data).hexdigest()
    
    # Calculate SHA256 hash
    sha256_hash = hashlib.sha256(binary_data).hexdigest()
    hashes = "Hases of the Archive {}\nMD5 Hash: {}\nSHA256 Hash: {}".format(attachment.get("filename", ""), md5_hash, sha256_hash)
    incident.addNote(hashes)