XML files with embedded OLE file not detected

[itsbo]

Hi,

I have started seeing XML files renamed to .DOC that are in a Word capable format containing OLE files embedded in their structure. There is a description of this vector here:

https://isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/

As these are text files, one should practically only have to grep for

w:macrosPresent="yes"

This apparently also exists for Excel but the strings are different there the article says.

:-(

neverending story apparently...

[pdwalker]

seconded. Is there anything you could do to add detection of these file types to your module?

[pdwalker]

What a nightmare! Detecting Malicious Microsoft Office Macro Documents: https://www.greyhathacker.net/?p=872

[ovizii]

Won't this be caught if the requirements are all fulfilled? The description says:

In order to detect VBA/Macro-enabled formats (i.e. .docm) disguised as classic Microsoft Office > formats by renaming the files, it's recommended you also install:

File::MimeInfo::Magic

[pdwalker]

No. I have File::MimeInfo::Magic installed and enabled and I still have macros slip through.