I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.
I received a maldoc sample (MD5 FAF75220C0423F94658618C9169B3568):
You can see it’s a MIME Type file, and that it is obfuscated. The second line is a very long line of seemingly random letters and digits. This throws of Python’s MIME parser used by my emldump tool:
emldump just detects this as a text file, and not as a multipart MIME Type file.
If we remove that second line, for example with findstr /v (or grep -v), emldump recognizes the different parts:
Since obfuscated MIME Type files are becoming more and more prevalent, I’m adding a filter option to emldump to filter out lines that obfuscate the MIME Type files. For the moment, option -f throws out lines longer than 100 characters and header lines that are not fields (just like option -H).
This new version of emldump.py detects some (simple) types of obfuscation:
And with option -f you can filter out these obfuscating lines: