Last time I opened a McAfee quarantine file (.bup) with a hex editor, I saw something I didn’t notice before: D0 CF 11 E0
The fileformat used for McAfee quarantine files is the Compound File Binary Format (also used for .doc, .xls, .msi, …).
With this new info and Google’s help I found @herrcore‘s punbup Python program. This program uses a Python module to handle CFB files, it does not rely on 7-zip for this. This has a big advantage: one is no longer required to write the quarantined files to disk to analyze them.
For example, with option -c md5 you can get the md5 hashes of the quarantined files, without these files being written to disk.
I added a couple of extra features which @herrcore has kindly merged into his repository. These new options allow one to perform a hexdump (-x -X), ASCII dump (-a -A) or dump (-f) of the quarantined file(s). Here is a usage example:
punbup.py -f quarantine.bup | pdfid.py
This command performs an analysis with pdfid of the quarantined PDF file, without writing the malicious PDF file to disk.