Didier Stevens

Tuesday 22 December 2015

MIME File With “Header”

Filed under: maldoc,My Software — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

Malicious MS Office documents are also distributed as MIME files. A blog reader asked for help with a MIME file that gave him problems: f67aa5a3ede3d31c5a68494c0678e2ee.

Accoring to emldump.py, the file is just text (not a multipart file):

20151221-175808

But if you look at the file, you’ll notice a line preceding the MIME-Version line:

20151221-180149

You can instruct emldump to skip this line with option -H:

20151221-180326

Now emldump is able to analyze the multipart MIME file, and detect the MSO file (part 3). oledump can analyze MSO files:

20151221-180513

1 Comment »

  1. […] MIME File With “Header” […]

    Pingback by Overview of Content Published In December | Didier Stevens — Wednesday 20 January 2016 @ 17:58


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: