Malspam Analysis csv to Timesketch

The great cocaman has released a new useful script to check IMAP accounts attachments for MalwareBazaar hits. He wrote about the script on his blog. The script generates a csv with timestamps. So for sure I wanted to check how easy it would be to get that data to Timesketch.

You can find his script on github: https://github.com/cocaman/analysis_scripts

If you edit it with your credentials and run it, you will end up with a csv with the following headers:

„Date„,„Subject„,„Attachment„,„MD5 Hash„,„Malware„

The date values however are really weird, so that is going to be fun as the sample file I got from cocaman had various formats, time zones and others in the column.

First step we open the csv in Google Sheets (my fav. csv parser) and do not let it parse any dates etc…

I removed one line where the date was “None” but of course spending a little more time could also solve that.

Download the csv again as csv.

Now lets move to colab for further stuff.

The process is pretty straightforward. Install google-colab and import the csv.

After formatting the date to be parsed and in a Timesketchable format, we can upload the pandas dataframe. The pandas dataframe looks like the following:

The resulting notebook is available on github.

Finally our result in Timesketch looks like the following: