Open pdwalker opened 8 years ago
I just tripped over this. As I was testing the plugin with an XLS file (because that's what I had to hand) then it was particularly frustrating, as I thought Amavisd wasn't loading the module for SA!
From the debugging I've done then the first marker is found, but the second isn't. I've not yet worked out why.
I think I found the problem.
The attachment decoding doesn't decode and search the whole file, only the initial part (up to $file_max_read_size bytes, which is set as 100KB).
My test Excel file is only 208KB, but from a bit of manually searching a hexdump then the second search string (the "\0Attribut\0" string) doesn't come until around 0x31ab0 - 202KB in (and after the content)!
I'm now trying to work out whether there is anything that can be done, or whether XLS files are a lost cause because the structure inherently means that the macros come after the content and so you can't reliably read the first N bytes and catch the macro definition.
Attached is an example excel spreadsheet with embedded macros. It is completely undetected by the spamassassin-vba-macro and I'm not sure why. The attached excel XLS spreadsheet is a good example. (the embedded macros are not malicious)
example-macro.xls.zip