Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Analyzing TNEF files InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Analyzing TNEF files

Published: 2017-12-31
Last Updated: 2017-12-31 09:25:50 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Yesterday I came across a file type I rarely have to analyze: "Transport Neutral Encapsulation Format". It's an attachment file format used by Outlook and Exchange.

Here is how the file command identifies it:

There are different free and opensource programs and libraries that can parse this file format. There's a Python module tnefparse that comes with a parsing program:

So this TNEF file contains one attached file: an .iso file.
tnefparse can extract this .iso file:

I've covered the analysis of .iso files before in this diary entry.
 

With 7-zip, I can look into the .iso file:
 

And extract the .exe (MD5 d71e537c1ca1aba1f6854c0cb7b71835) file:
 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc tnef
0 comment(s)
Diary Archives