Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Tip For The Analysis Of MIME Files SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Tip For The Analysis Of MIME Files

I've written a diary entry about malicious MS Office documents stored as MIME files.

A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart:

$ ./ f67aa5a3ede3d31c5a68494c0678e2ee.vir
1:     18649 text/plain

But when I looked at the content of the file, I saw that the first line was just gibberish:

$ head f67aa5a3ede3d31c5a68494c0678e2ee.vir
MIME-Version: 22
Content-Type: multipart/related; boundary="----=_NextPart_Jm9Ovypy.uUh6MCk"


Content-Location: file:///C:/sqHXAAMQIBQ/1.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"

You can make emldump skip this first line with option -H:

$ ./ -H f67aa5a3ede3d31c5a68494c0678e2ee.vir
1: M         multipart/related
2:      3547 text/html
3:     10480 application/x-mso
4:       155 text/xml

Now you see that the third part is an MSO file, and you can extract this and pipe it into oledump, like I explained in my diary entry.

Should you find MIME files starting with more than one line of gibberish, you can use the tail command to remove this, like this (example to skip 2 lines):

$ tail -n +3 sample.vir | ./

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
IT Security consultant at Contraste Europe.


597 Posts
ISC Handler
Jan 2nd 2016

Sign Up for Free or Log In to start participating in the conversation!