Last time I opened a McAfee quarantine file (.bup) with a hex editor, I saw something I didn’t notice before: D0 CF 11 E0
The fileformat used for McAfee quarantine files is the Compound File Binary Format (also used for .doc, .xls, .msi, …).
With this new info and Google’s help I found @herrcore‘s punbup Python program. This program uses a Python module to handle CFB files, it does not rely on 7-zip for this. This has a big advantage: one is no longer required to write the quarantined files to disk to analyze them.
For example, with option -c md5 you can get the md5 hashes of the quarantined files, without these files being written to disk.
I added a couple of extra features which @herrcore has kindly merged into his repository. These new options allow one to perform a hexdump (-x -X), ASCII dump (-a -A) or dump (-f) of the quarantined file(s). Here is a usage example:
punbup.py -f quarantine.bup | pdfid.py
This command performs an analysis with pdfid of the quarantined PDF file, without writing the malicious PDF file to disk.
[…] Handling McAfee Quarantine Files […]
Pingback by punbup.py: Analyzing McAfee Quarantine Files | Didier Stevens Videos — Tuesday 29 July 2014 @ 18:19
[…] good friend asked me how to decompress a gzip compressed file, stored inside a McAfee quarantine file. On Linux, it’s simple, using the punbup.py tool. Like […]
Pingback by Gzip Decompression Via Pipes | Didier Stevens — Thursday 4 May 2017 @ 0:00