This new version outputs the filename for attachments:
emldump_V0_0_10.zip (https)
MD5: 34DBB3BCB1A2B04C45286C0583F11C07
SHA256: C5877E252DDB61B40BFFCC5403DB500E672DACFE96FAA7D1E0668246C5202DE5
Friday 21 July 2017
Update: emldump.py Version 0.0.10
5 Comments »
RSS feed for comments on this post. TrackBack URI
Didier Stevens 
How did you create the .VIR.ZIP file in the first place? My e-mail client gives access to attachments, but not to a “raw” EML format, zipped or not. My server (run my own) gets SMTP sessions and saves them in a file, but they’re not zipped. And they have headers specific to the recipient, which surely aren’t uploaded to virustotal. Going to virustotal (which of course required that I let Google through my firewall), I can see that the name of your .VIR.ZIP file is taken from the MD5 of the file on virustotal. But I don’t see a way to download the file to see what, if any, portions of the SMTP lines are used to form the upload to virustotal. As sort of an aside, if I wanted to upload a file to virustotal, or see if an e-mail I receive matches something there, what would I use? The SMTP file? .ZIP it first? Shoudn’t I strip out my headers first? I am left wondering what input you used to create the .VIR.ZIP file (not the tool you used to create the .ZIP file, just how you got access to the raw parts). If I don’t know how to do this, I would like to think others don’t know. Please pardon my ignorance, and thank you for your time and your oftentimes very useful tool collection.
Comment by robv — Saturday 22 July 2017 @ 15:17
I downloaded it from VirusTotal Intelligence. Someone shared the iso with use, and from that I found emails on VitursTotal. If you can view the source of your email, you can save it as MIME file (eml). More info here: https://isc.sans.edu/forums/diary/Malicious+iso+Attachments/22636/
Comment by Didier Stevens — Saturday 22 July 2017 @ 15:54
(I started with the ISC diary, which got me to virustotal. Then I took the emldump link to see if it would explain where the .VIR.ZIP files come from originally.) I used my browser to search for virustotal intellgence, and got to a page that explained how to do regular searches on virustotal and that also referred to a premium service called VirusTotal Intelligence. I did not see a link to access VirusTotal Intelligence. The regular virustotal “analysis” page for this file does not give a way to download the .VIR.ZIP file, which I was hoping would show me the parts of the SMTP lines that are used to produce the file in the first place (which are zipped at some point). I realize this is not a virustotal web page, so I won’t pursue this here any further. Thanks for your efforts, sir.
Comment by robv — Saturday 22 July 2017 @ 16:25
[…] emldump to version 0.0.10, adding the ability to output “the filename for attachments”. https://blog.didierstevens.com/2017/07/21/update-emldump-py-version-0-0-10/ Update: emldump.py Version […]
Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:09
[…] Update: emldump.py Version 0.0.10 […]
Pingback by Overview of Content Published In July | Didier Stevens — Tuesday 1 August 2017 @ 21:52