detect executables embedded inside MS Office documents?

Julian Field MailScanner at
Mon Apr 7 16:41:21 IST 2008

Furnish, Trever G wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at 
>> [mailto:mailscanner-bounces at] On Behalf 
>> Of Julian Field
>> Sent: Sunday, April 06, 2008 11:09 AM
>> To: MailScanner discussion
>> Subject: Re: detect executables embedded inside MS Office documents?
>> Ignore all previous requests for information. I've got enough 
>> of it, pretty much.
>> The only thing I cannot handle is inserted OLE "Packages" 
>> that contain multiple files. If someone fancies creating one 
>> of those and sending it to me, I'll improve the Package 
>> parser to cope with it.
>> But it now works with files inserted into Microsoft Office 
>> documents just fine.
>> This will be in the next release.
>> I guess it's a fairly major new feature, the ability to 
>> extract embedded files from Microsoft Office documents.
>> :-)
>> I think I'm going to have a rest now...
>> Jules.
> Wow!  I didn't really expect much response on that request!  Thank you
> very much!  I look forward to testing, although I'll admit I'm also
> hoping the method itself never takes off in the malware world.
No problem, I thought it was a nice idea. Fortunately Microsoft have 
actually published the spec of the Office documents, so it's now 
possible for people to write parsers without having to reverse engineer 
everything. I still had to reverse engineer the "Microsoft Packager" 
format by hand, as files are embedded in a Microsoft Package before 
being put into the Office document.

I have already released a beta with the code in it, so you can test it now.

If you want to show your gratitude, please feel free to make a donation 
or buy me some stuff from my wishlist. Full directions are 
on the website.



Julian Field MEng CITP CEng
Buy the MailScanner book at

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the MailScanner mailing list