I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.
I received a maldoc sample (MD5 FAF75220C0423F94658618C9169B3568):
You can see it’s a MIME Type file, and that it is obfuscated. The second line is a very long line of seemingly random letters and digits. This throws of Python’s MIME parser used by my emldump tool:
emldump just detects this as a text file, and not as a multipart MIME Type file.
If we remove that second line, for example with findstr /v (or grep -v), emldump recognizes the different parts:
Since obfuscated MIME Type files are becoming more and more prevalent, I’m adding a filter option to emldump to filter out lines that obfuscate the MIME Type files. For the moment, option -f throws out lines longer than 100 characters and header lines that are not fields (just like option -H).
This new version of emldump.py detects some (simple) types of obfuscation:
And with option -f you can filter out these obfuscating lines:
Download:
emldump_V0_0_7.zip (https)
MD5: 819D4AF55F556B2AF08DCFB3F7A8C878
SHA256: D5C7C2A1DD3744CB0F50EEDFA727FF0487A32330FF5B7498349E4CB96E4AB284
Didier Stevens 
[…] just an error message. Version 0.0.8 now detects all lines without a colon in the first block. More Obfuscated MIME Type Files Even More Obfuscated MIME Type […]
Pingback by Week 9 – 2016 – Thisweekin4n6 — Sunday 6 March 2016 @ 11:22
[…] More Obfuscated MIME Type Files […]
Pingback by Overview of Content Published In February | Didier Stevens — Tuesday 29 March 2016 @ 0:01