From 5b460310b2f4c0de0da765948a51ac25a963f354 Mon Sep 17 00:00:00 2001
From: GitHub Actions <action@github.com>
Date: Sun, 2 Feb 2025 14:54:18 +0000
Subject: [PATCH] style: Automatic code formatting

---
 modules/signatures/all/network_cnc_generic.py | 18 ++++++++-------
 modules/signatures/all/pdf_annot_urls.py      | 23 +++++++++++--------
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/modules/signatures/all/network_cnc_generic.py b/modules/signatures/all/network_cnc_generic.py
index 841dacca..7c570d11 100644
--- a/modules/signatures/all/network_cnc_generic.py
+++ b/modules/signatures/all/network_cnc_generic.py
@@ -14,13 +14,13 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
-import os
-import logging
-import ipaddress
 import csv
+import ipaddress
+import logging
+import os
 
-from lib.cuckoo.common.constants import CUCKOO_ROOT
 from lib.cuckoo.common.abstracts import Signature
+from lib.cuckoo.common.constants import CUCKOO_ROOT
 
 log = logging.getLogger()
 
@@ -28,13 +28,15 @@
 HAVE_MSFT_PUB_IPS = False
 msf_public_ips_list = os.path.join(CUCKOO_ROOT, "extra", "msft-public-ips.csv")
 if os.path.exists(msf_public_ips_list):
-    with open(msf_public_ips_list, 'r') as file:
+    with open(msf_public_ips_list, "r") as file:
         reader = csv.DictReader(file)
         for row in reader:
-            ip_ranges.append(row['Prefix'])
+            ip_ranges.append(row["Prefix"])
     HAVE_MSFT_PUB_IPS = True
 else:
-    log.debug("Missed file extra/msft-public-ips.csv. Get a fresh copy from https://www.microsoft.com/en-us/download/details.aspx?id=53602")
+    log.debug(
+        "Missed file extra/msft-public-ips.csv. Get a fresh copy from https://www.microsoft.com/en-us/download/details.aspx?id=53602"
+    )
 
 
 def check_ip_in_ranges(ip_address):
@@ -81,7 +83,7 @@ class NetworkMultipleDirectIPConnections(Signature):
     severity = 2
     confidence = 30
     categories = ["network", "c2"]
-    authors = ["Kevin Ross","Wassime BATTA"]
+    authors = ["Kevin Ross", "Wassime BATTA"]
     minimum = "1.3"
     enabled = False
 
diff --git a/modules/signatures/all/pdf_annot_urls.py b/modules/signatures/all/pdf_annot_urls.py
index 200862dc..a939d2ec 100644
--- a/modules/signatures/all/pdf_annot_urls.py
+++ b/modules/signatures/all/pdf_annot_urls.py
@@ -14,7 +14,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-from urllib.parse import urlparse, parse_qs
+from urllib.parse import parse_qs, urlparse
 
 from lib.cuckoo.common.abstracts import Signature
 from lib.cuckoo.common.constants import CUCKOO_ROOT
@@ -46,7 +46,7 @@ class PDF_Annot_URLs_Checker(Signature):
     minimum = "0.5"
     enaled = False
 
-    filter_analysistypes = set(["file","static"])
+    filter_analysistypes = set(["file", "static"])
 
     malicious_tlds_files = (
         "custom/data/malicioustlds.txt",
@@ -87,8 +87,9 @@ def run(self):
             for entry in self.results.get("target").get("file", {}).get("pdf", {}).get("Annot_URLs", []):
                 entry_lower = entry.lower()
                 self.data.append({"url": entry})
-                if entry_lower.endswith((".exe", ".zip", ".rar", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")) \
-                        and not entry_lower.startswith("mailto:"):
+                if entry_lower.endswith(
+                    (".exe", ".zip", ".rar", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")
+                ) and not entry_lower.startswith("mailto:"):
                     found_malicious_extension = True
                 if entry_lower.startswith(("http://", "https://")):
                     domain_start = entry_lower.find("//") + 2
@@ -108,12 +109,16 @@ def run(self):
                             blacklisted_server, server = self.check_dnsbbl(target)
                             if blacklisted_server:
                                 found_blacklist_ip = True
-                                self.data.append({"blacklisted": f"The domain or IP address {target} is blacklisted on the following server: {server}  "})
-                                #break # Stop checking once blacklisted IP is found
-                                #print ( blacklisted_server)
-                            #else:
+                                self.data.append(
+                                    {
+                                        "blacklisted": f"The domain or IP address {target} is blacklisted on the following server: {server}  "
+                                    }
+                                )
+                                # break # Stop checking once blacklisted IP is found
+                                # print ( blacklisted_server)
+                            # else:
                             #    print(f"The domain or IP address {target} is not blacklisted.")
-        if found_malicious_domain or found_malicious_extension or found_blacklist_ip :
+        if found_malicious_domain or found_malicious_extension or found_blacklist_ip:
             self.severity = 6
             self.description = "The PDF contains a Malicious Link Annotation"
             suspect = True