Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Analyzing MSI files

Published: 2018-02-19
Last Updated: 2018-02-19 21:58:25 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Xavier wrote a diary entry about an interesting malware sample: MSI files.

As Xavier mentioned, MSI files are Composite Document Files, or as I like to call them, ole files. MSI files can be inspected with tools that handle OLE files, like 7-Zip, oletools, oledump, ...

I've had to analyze MSI files (bening and malware), and used my tool oledump to search for executables (PE files) inside MSI files. oledump is one of several tools that supports YARA rules. I have a YARA rule, contains_pe_file, that searches for embedded PE files by looking for the MZ and PE header. Here I use oledump with that YARA rule:

In this MSI file, streams 4 and 5 contain a PE file. Looking at the content of stream 4, we can see that it is actually a CAB file (header MSCF) containing a PE file:

MSI file will often contain CAB files.

Stream 5 contains a PE file:

Looking back at the first screenshot, the stream names don't make much sense (they are hexadecimal values), while Xavier's examples show legible steam names. I did some research, and found out that MSI stream names are encoded with unused UNICODE code points. I developed a new oledump plugin, plugin_msi, to decode MSI stream names, and also provide info like the header (ASCII) and MD5 hash of the streams:

The name of stream 5 ( is a good indicator that the embedded PE file is a DLL. This can be confirmed by inspecting the embedded PE file, with a tool like pecheck for example:

If you prefer a GUI tool to analyze MSI files, then know that there are several MSI GUI tools for developers, like Orca.

Do you have a preferred tool to analyze MSI files? Please post a comment!

Didier Stevens
Microsoft MVP Consumer Security

Keywords: msi ole
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Finding VBA signatures in .docm files
Feb 18th 2018
1 day ago by DidierStevens (0 comments)

Malware Delivered via Windows Installer Files
Feb 17th 2018
2 days ago by Xme (0 comments)

February 2018 Microsoft (and Adobe) Patch Tuesday
Feb 13th 2018
6 days ago by Johannes (8 comments)

View All Diaries →

Latest Discussions

Work logs for hunting
created Jan 18th 2018
1 month ago by Anonymous (0 replies)

What is airbnb doing?
created Jan 9th 2018
1 month ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
1 month ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
1 month ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
1 month ago by Tony (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
7 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
6 months ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
5 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
6 months ago by Xme (2 comments)