detect executables embedded inside MS Office documents?
MailScanner at ecs.soton.ac.uk
Mon Apr 7 16:41:21 IST 2008
Furnish, Trever G wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
>> Of Julian Field
>> Sent: Sunday, April 06, 2008 11:09 AM
>> To: MailScanner discussion
>> Subject: Re: detect executables embedded inside MS Office documents?
>> Ignore all previous requests for information. I've got enough
>> of it, pretty much.
>> The only thing I cannot handle is inserted OLE "Packages"
>> that contain multiple files. If someone fancies creating one
>> of those and sending it to me, I'll improve the Package
>> parser to cope with it.
>> But it now works with files inserted into Microsoft Office
>> documents just fine.
>> This will be in the next release.
>> I guess it's a fairly major new feature, the ability to
>> extract embedded files from Microsoft Office documents.
>> I think I'm going to have a rest now...
> Wow! I didn't really expect much response on that request! Thank you
> very much! I look forward to testing, although I'll admit I'm also
> hoping the method itself never takes off in the malware world.
No problem, I thought it was a nice idea. Fortunately Microsoft have
actually published the spec of the Office documents, so it's now
possible for people to write parsers without having to reverse engineer
everything. I still had to reverse engineer the "Microsoft Packager"
format by hand, as files are embedded in a Microsoft Package before
being put into the Office document.
I have already released a beta with the code in it, so you can test it now.
If you want to show your gratitude, please feel free to make a donation
or buy me some stuff from my amazon.co.uk wishlist. Full directions are
on the website.
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the MailScanner