I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.
Accoring to emldump.py, the file is just text (not a multipart file):
But if you look at the file, you’ll notice a line preceding the MIME-Version line:
You can instruct emldump to skip this line with option -H:
Now emldump is able to analyze the multipart MIME file, and detect the MSO file (part 3). oledump can analyze MSO files: