Didier Stevens

Monday 29 February 2016

More Obfuscated MIME Type Files

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 20:57

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.

I received a maldoc sample (MD5 FAF75220C0423F94658618C9169B3568):

20160229-213357

You can see it’s a MIME Type file, and that it is obfuscated. The second line is a very long line of seemingly random letters and digits. This throws of Python’s MIME parser used by my emldump tool:

20160229-214123

emldump just detects this as a text file, and not as a multipart MIME Type file.

If we remove that second line, for example with findstr /v (or grep -v), emldump recognizes the different parts:

20160229-214500

Since obfuscated MIME Type files are becoming more and more prevalent, I’m adding a filter option to emldump to filter out lines that obfuscate the MIME Type files. For the moment, option -f throws out lines longer than 100 characters and header lines that are not fields (just like option -H).

This new version of emldump.py detects some (simple) types of obfuscation:

20160229-215458

And with option -f you can filter out these obfuscating lines:

20160229-215704

Download:

emldump_V0_0_7.zip (https)
MD5: 819D4AF55F556B2AF08DCFB3F7A8C878
SHA256: D5C7C2A1DD3744CB0F50EEDFA727FF0487A32330FF5B7498349E4CB96E4AB284

2 Comments »

  1. […] just an error message.  Version 0.0.8 now detects all lines without a colon in the first block. More Obfuscated MIME Type Files Even More Obfuscated MIME Type […]

    Pingback by Week 9 – 2016 – Thisweekin4n6 — Sunday 6 March 2016 @ 11:22

  2. […] More Obfuscated MIME Type Files […]

    Pingback by Overview of Content Published In February | Didier Stevens — Tuesday 29 March 2016 @ 0:01


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: