Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Analyzing MSI files - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing MSI files

Xavier wrote a diary entry about an interesting malware sample: MSI files.

As Xavier mentioned, MSI files are Composite Document Files, or as I like to call them, ole files. MSI files can be inspected with tools that handle OLE files, like 7-Zip, oletools, oledump, ...

I've had to analyze MSI files (bening and malware), and used my tool oledump to search for executables (PE files) inside MSI files. oledump is one of several tools that supports YARA rules. I have a YARA rule, contains_pe_file, that searches for embedded PE files by looking for the MZ and PE header. Here I use oledump with that YARA rule:

In this MSI file, streams 4 and 5 contain a PE file. Looking at the content of stream 4, we can see that it is actually a CAB file (header MSCF) containing a PE file:

MSI file will often contain CAB files.

Stream 5 contains a PE file:

Looking back at the first screenshot, the stream names don't make much sense (they are hexadecimal values), while Xavier's examples show legible steam names. I did some research, and found out that MSI stream names are encoded with unused UNICODE code points. I developed a new oledump plugin, plugin_msi, to decode MSI stream names, and also provide info like the header (ASCII) and MD5 hash of the streams:

The name of stream 5 ( is a good indicator that the embedded PE file is a DLL. This can be confirmed by inspecting the embedded PE file, with a tool like pecheck for example:

If you prefer a GUI tool to analyze MSI files, then know that there are several MSI GUI tools for developers, like Orca.

Do you have a preferred tool to analyze MSI files? Please post a comment!

Didier Stevens
Microsoft MVP Consumer Security


212 Posts
ISC Handler
I used lessmsi to help with analysis of the backdoored/repackaged MSI (MD5: fbb7de06dcb6118e060dd55720b51528) deployed by the Kingslayer perps in their supply chain attack
Thanks for sharing!

212 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!