Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Analyzing MSG Files With plugin_msg_summary SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing MSG Files With plugin_msg_summary

I've written a couple of diary entries about analyzing .MSG files (Outlook messages) with my tool oledump.py, that resulted in a dedicated plugin: plugin_msg.

Due to research I did recently, I added a new framework for plugins to oledump, and this allowed me to create a new plugin (plugin_msg_summary) that presents a summary of an email (.msg file).

I show this new plugin in this video:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

492 Posts
ISC Handler
Oct 11th 2020
Thank You Didier
Netmanzim

57 Posts
Qakbot has an interessting Zip-structur:
python3 zipdump.py 70e52964315c504c4d4af775f79e53e45d81b393aa9b8e9a3c5d56609586aaa7.xls -f l
p 0x00000000 data 0:27279l
0x00006a8f PK0304 fil b'[Content_Types].xml'
0x00006bbd PK0304 fil b'_rels/.rels'
0x00006cb8 PK0304 fil b'drs/shapexml.xml'
0x00007113 PK0304 fil b'drs/downrev.xml'
0x00007267 PK0102 dir b'[Content_Types].xml'
0x000072a8 PK0102 dir b'_rels/.rels'
0x000072e1 PK0102 dir b'drs/shapexml.xml'
0x0000731f PK0102 dir b'drs/downrev.xml'
1 0x0000735c PK0506 end
0x000074d9 PK0304 fil b'[Content_Types].xml'
0x00007607 PK0304 fil b'_rels/.rels'
0x00007702 PK0304 fil b'drs/shapexml.xml'
0x00007dae PK0304 fil b'drs/downrev.xml'
0x00007f09 PK0102 dir b'[Content_Types].xml'
0x00007f4a PK0102 dir b'_rels/.rels'
0x00007f83 PK0102 dir b'drs/shapexml.xml'
0x00007fc1 PK0102 dir b'drs/downrev.xml'
2 0x00007ffe PK0506 end
0x00008516 PK0304 fil b'[Content_Types].xml'
0x00008644 PK0304 fil b'_rels/.rels'
0x0000873f PK0304 fil b'drs/shapexml.xml'
0x000089b5 PK0304 fil b'drs/downrev.xml'
0x00008aff PK0102 dir b'[Content_Types].xml'
0x00008b40 PK0102 dir b'_rels/.rels'
0x00008b79 PK0102 dir b'drs/shapexml.xml'
0x00008bb7 PK0102 dir b'drs/downrev.xml'
3 0x00008bf4 PK0506 end
0x00008ccc PK0304 fil b'[Content_Types].xml'
0x00008dfa PK0304 fil b'_rels/.rels'
0x00008ef5 PK0304 fil b'drs/shapexml.xml'
0x00009172 PK0304 fil b'drs/downrev.xml'
0x000092be PK0102 dir b'[Content_Types].xml'
0x000092ff PK0102 dir b'_rels/.rels'
0x00009338 PK0102 dir b'drs/shapexml.xml'
0x00009376 PK0102 dir b'drs/downrev.xml'
4 0x000093b3 PK0506 end
s 0x000093c9 data 37833:13879l

"downrev.xml" is hard to 'google'
Anonymous

Sign Up for Free or Log In to start participating in the conversation!