Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Peeking into .msg files - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Peeking into .msg files

Readers often submit malware samples, and sometimes the complete email with attachment. For example exported from Outlook, as a .msg file.

Did you know that .msg files use the Compound File Binary Format (what I like to call OLE files), and can be analysed with oledump?

Reader Carlos Almeida submitted a .msg file with malicious .rar attachment.

I'm not that familiar with .msg file intricacies, but by looking at the stream names and sizes, I can often find what I'm looing for:

Stream 53 seems to contain the message:

From this hex-ascii dump, you can probably guess that the message is stored in UNICODE format. We can use option -t (translate) of oledump to decode it as UTF-16:

Stream 43 contains the headers. I don't want to disclose private information like our reader's email address, so I grepped for some headers that I can disclose:

The Subject header is encoded according to RFC1342 because the subject contains non-ASCII characters. It decodes to this:

These are chinese characters that seem to mean the same as FW: (forwarding).

Stream 3 contains the attachment:

You can see it's a RAR file.

I use 7zip to look into it, and it should be possible to do this without writing the file to disk, by just piping the data into 7zip (options -si and -so can help with piping). But unfortunately, I got errors trying this and resigned to saving it to disk:

It contains an unusually large .bat file:

It's actually a PE file:

This looks to be a VB6 executable (from the PEiD signature), I should dig up my VB6 decompiler and try to take a closer look.

Of course, it's malware.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

181 Posts
ISC Handler
RFC1342 is obsolete, RFC2047 is the current RFC. Unfortunately, Python 2.7 decoding with make_header(decode_header).__unicode() isn't always correct. Python 3.6 is better, but I've still had some issues.
Anonymous

Posts
If I had multiple MSG files, could I use oledump to automatically extract attachments from them, without necessarily knowing in advance which stream in the attachment stream?
Anonymous

Posts
:) Thank you Didier Stevens, for all your great work
and also your great SANS team, thank you
learn a lot
Carlos Almeida
Netmanzim

8 Posts Posts
You should be able to figure out what parts of a msg are the attachment and what types they are. The substrings have specific meanings.

The prefix indicates what the part type is

'3701': 'Attachment data',
'3703': 'Attachment extension',
'3704': 'Attachment short filename',
'3707': 'Attachment long filename',
'370E': 'Attachment mime tag',
'3712': 'Attachment ID (uncertain)'
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!