[Mimedefang] Strip DOC with macros
Kevin A. McGrail
KMcGrail at PCCC.com
Wed Feb 25 14:10:18 EST 2015
On 2/25/2015 1:17 PM, Justin Edmands wrote:
> Hey Mimedefang listers,
> I wanted to know if I could use mimedefang to strip out .DOC, .DOCX, .XLS, and .XLSX files (or any applicable file type) if they contain a macro.
>
We have some code inspired by DFS' recent post on the issue but haven't
had time to polish it to my satisfaction to bring it back to the list.
However, here's the key point:
# For formats later than 2003, the document is a zipped folder tree
# Macros are given away by the presence of two files, and because the
zip index is plaintext
My plan is to use Archive::Zip to look at the index for these files
which indicate a macro and then add a header which we then use in SA to
increase the score.
vbaData\.xml|vbaProject\.bin
Additionally, in the link
https://social.technet.microsoft.com/Forums/office/en-US/1eb2d35a-b212-480b-9af3-121ab498d095/where-does-the-macro-gets-stored-in-new-microsoft-word-open-office-xml-format-docx?forum=word
you'll note "The .docx format doesn't contain macros. A macro-enabled
Word document has extension .docm."
So you can also assume .docm has macros.
Eventually I will post the code to the list when it's ready in keeping
with the spirit that DFS shared his original idea as well.
Regards,
KAM
More information about the MIMEDefang
mailing list