Analyzing MIME Files: a Quick Tip

Published: 2023-10-01
Last Updated: 2023-10-01 07:51:42 UTC
by Didier Stevens (Version: 1)
2 comment(s)

In my blog post "Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs" I explain how to search through MIME files with my tool to find suspicious/malicious content:

I have now released a new version of, that can output the content of all parts in JSON format.

This is done with option --jsonoutput:

This JSON output can then be consumed by different tools I develop. One of them is, a tool to identify files using the libmagic library.

Here identifies all parts of the MIME file:

And it becomes clear that the JPEG parts is not actually an image, but an MSO/ActiveMime file that can contain VBA code.

Didier Stevens
Senior handler
Microsoft MVP

2 comment(s)


Question: It it possible to include jpeg parts like this inside HTML email bodies that would be displayed in Outlook? And if so, will Outlook execute the VBA code? (Hoping not...)
the code would almost certainly not execute.

Diary Archives