Macros not detected in docm/pptm/xlsm

[itsbo]

Hi,

the new docm/pptm/xlsm/xlsb file formats are zip files. Matching of the markers will not work for these files (tested it against a local spamassassin)

Decompressing them and checking the file Word 2007+: word/vbaProject.bin Excel 2007+: xl/vbaProject.bin PowerPoint 2007+: ppt/vbaProject.bin will then work, as vbaProject.bin contains the same VBA project structure as for MS Office 97-2003 documents. If the file never had any macros, then the vbaProject.bin file will not exist so you could just check for the name in the zip as a quick fix. If it had macros and they have been removed, the file will still be part of the zip.

I'm not proficient enough in Perl to code this myself on the fly, sorry, otherwise I would have provided a patch.

Source: http://www.decalage.info/en/vba_tools

Just curious: Where did you get the markers you check for?

[JonathanThorpe]

Thanks for letting me know - I'll see what I can do about adding this to the next release. The signature was found here https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/

[dmb-ts]

Since docm and Co are macro enabled files, it is not really necessary to check them for macros - as there is no sense in sending docm files without macros -> so I treat them as macro files, no matter if there are actually any in it. We use

mimeheader __DMB_ATTACHED_DOCM Content-Disposition =~ /\.do[ct]m[;"']/i
mimeheader __DMB_ATTACHED_XLSM Content-Disposition =~ /\.xl[st]m[;"']/i
mimeheader __DMB_ATTACHED_PPTM Content-Disposition =~ /\.p[po]tm[;"']/i

to score them in SA.

[JonathanThorpe]

This seems like a good alternative to me.

Thoughts @itsbo?

[itsbo]

I would split the files into 2 categories and add an elsif branch:

my $match_types = qr/(?:xls|xlt|pot|ppt|pps|doc|dot)$/;
my $match_types_compressed = qr/(?:xlsm|xltm|xlsb|potm|pptm|ppsm|docm|dotm)$/;

} elsif ($name =~ $match_types_compressed) {
     $pms->{nomacro_microsoft_ole2macro} = 1;
     last; }

@dmb-ts : You might want to add "xlsb" and "ppsm" @JonathanThorpe : I added "xlt(m)" and "pot(m)" to the examined types

[JonathanThorpe]

I've added this to the fixes branch and will merge if this is a confirmed fix. The change also takes into account these file types stored in zip archives.