Ive written a diary entry about malicious MS Office documents stored as MIME files.

A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart:

$ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir
1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii

You can make emldump skip this first line with option -H:

$ ./emldump.py -H f67aa5a3ede3d31c5a68494c0678e2ee.vir
1: M multipart/related
2: 3547 text/html
3: 10480 application/x-mso
4: 155 text/xml

Now you see that the third part is an MSO file, and you can extract this and pipe it into oledump, like I explained in my diary entry.

Should you find MIME files starting with more than one line of gibberish, you can use the tail command to remove this, like this (example to skip 2 lines):

$ tail -n +3 sample.vir | ./emldump.py

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status