Analyzing MIME Files: a Quick Tip, (Sun, Oct 1st)

Category :

SANS Full Feed

Posted On :

In my blog post “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs” I explain how to search through MIME files with my tool to find suspicious/malicious content:

I have now released a new version of, that can output the content of all parts in JSON format.

This is done with option –jsonoutput:

This JSON output can then be consumed by different tools I develop. One of them is, a tool to identify files using the libmagic library.

Here identifies all parts of the MIME file:

And it becomes clear that the JPEG parts is not actually an image, but an MSO/ActiveMime file that can contain VBA code.

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.