Spamassassin OLEMacro is a plug in that searches attached documents for evidence of containing an OLE Macro.
Several detection methods are in use, see the code comments for references.
The following Perl modules should be available
New body eval functions are added when this plug in is installed
Check for the existence of an attachment with an embedded OLE Macro within files matching either olemacro_exts or olemacro_macro_exts
body OLEMACRO eval:check_olemacro()
describe OLEMACRO Attachment has an Office Macro
score OLEMACRO 0.1
Check for the existence of an attachment with a potential malicious embedded OLE Macro
body OLEMACRO_MALICE eval:check_olemacro_malice()
describe OLEMACRO_MALICE Potentially malicious Office Macro
score OLEMACRO_MALICE 0.1
Check if found Office document is encrypted
body OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
score OLEMACRO_ENCRYPTED 0.1
Check for the existence of an attachment that looks as though it is a olemacro_macro_exts file renamed to a olemacro_exts file
body OLEMACRO_RENAME eval:check_olemacro_renamed()
describe OLEMACRO_RENAME Has an Office doc that has been renamed
score OLEMACRO_RENAME 0.1
Check for the existence of an encrypted zip member that matches either olemacro_exts or olemacro_macro_exts
body OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
score OLEMACRO_ZIP_PW 0.1
All configuration options should be fine at default. Tweak at your own risk.
Configure the largest file that the plugin will decode from the MIME objects
olemacro_max_file 512000
Configure the maximum number of matching (see below) MIME parts the plugin will scan
olemacro_num_mime 5
Configure the maximum number of matching (see below) zip members the plugin will scan
olemacro_num_zip 5
Depth to recurse within Zip files
olemacro_zip_depth 2
Scan more files for potential macros, olemacro_skip_exts still honored
Note This is off by default and shouldn't be needed. If this is turned on consider adjusting values for olemacro_num_mime and olemacro_num_zip and prepare for more CPU overhead
olemacro_extended_scan 0
Configure the extensions the plugin targets for macro scanning
olemacro_exts (?:doc|dot|pot|ppa|pps|ppt|sldm|xl|xla|xls|xlt|xslb)$
Configure the extensions the plugin treats as containing a macro
olemacro_macro_exts (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm)$
Configure extensions for the plugin to target as zip files, files listed in configs above are also tested for zip
olemacro_zips (?:zip)$
Configure extensions for the plugin to skip entirely, these should only be guaranteed macro free files
olemacro_skip_exts (?:docx|dotx|potx|ppsx|pptx|sldx|xlsx|xltx)$
Configure content types for the plugin to skip entirely, these should only be guaranteed macro free
olemacro_skip_ctypes ^(?:(audio|image|text)\/|application\/(?:pdf))
Should the content-disposition header filename be preferred if ambiguity is encountered whilst trying to get filename
olemacro_prefer_contentdisposition 1