Threat Level: green Handler on Duty: Russ McRee

SANS ISC: A Tip For The Analysis Of MIME Files - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Tip For The Analysis Of MIME Files

I've written a diary entry about malicious MS Office documents stored as MIME files.

A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart:

$ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir
1:     18649 text/plain
$

But when I looked at the content of the file, I saw that the first line was just gibberish:

$ head f67aa5a3ede3d31c5a68494c0678e2ee.vir
dsfffffffffffffffffffds
MIME-Version: 22
Content-Type: multipart/related; boundary="----=_NextPart_Jm9Ovypy.uUh6MCk"

Error!

------=_NextPart_Jm9Ovypy.uUh6MCk
Content-Location: file:///C:/sqHXAAMQIBQ/1.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
$

You can make emldump skip this first line with option -H:

$ ./emldump.py -H f67aa5a3ede3d31c5a68494c0678e2ee.vir
1: M         multipart/related
2:      3547 text/html
3:     10480 application/x-mso
4:       155 text/xml
$

Now you see that the third part is an MSO file, and you can extract this and pipe it into oledump, like I explained in my diary entry.

Should you find MIME files starting with more than one line of gibberish, you can use the tail command to remove this, like this (example to skip 2 lines):

$ tail -n +3 sample.vir | ./emldump.py

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

DidierStevens

385 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!