Last Updated: 2017-10-15 11:18:46 UTC
by Didier Stevens (Version: 1)
Readers often submit malware samples, and sometimes the complete email with attachment. For example exported from Outlook, as a .msg file.
Reader Carlos Almeida submitted a .msg file with malicious .rar attachment.
I'm not that familiar with .msg file intricacies, but by looking at the stream names and sizes, I can often find what I'm looing for:
Stream 53 seems to contain the message:
From this hex-ascii dump, you can probably guess that the message is stored in UNICODE format. We can use option -t (translate) of oledump to decode it as UTF-16:
Stream 43 contains the headers. I don't want to disclose private information like our reader's email address, so I grepped for some headers that I can disclose:
The Subject header is encoded according to RFC1342 because the subject contains non-ASCII characters. It decodes to this:
These are chinese characters that seem to mean the same as FW: (forwarding).
Stream 3 contains the attachment:
You can see it's a RAR file.
I use 7zip to look into it, and it should be possible to do this without writing the file to disk, by just piping the data into 7zip (options -si and -so can help with piping). But unfortunately, I got errors trying this and resigned to saving it to disk:
It contains an unusually large .bat file:
It's actually a PE file:
This looks to be a VB6 executable (from the PEiD signature), I should dig up my VB6 decompiler and try to take a closer look.
Of course, it's malware.