Hi all, I'm trying to block Office files which contain executable stuff. Decalage's mraptor works fine, except it doesn't cover Office 2007 and similar. Those have 4-char extensions, like xlsx (Xml), xlsm (Macro), xlsb (Binary), and many more. For a tentative list, see e.g.: https://kb.intermedia.net/Article/23567
They are zip containers, possibly containing xml and other files. Most often, they contain a file named printerSettings1.bin. An xlsx I got also contains a file named oleObject1.bin. Kaspersky flags it as HEUR:Exploit.MSOffice.Generic, see: https://www.virustotal.com/#/file/3d6a7816aa27c053c9ca247a520cee11d6eb360b6f90ca587a3a0916d7f2e65b/detection The whole xlsx file is detected similarly. However, the content of the only OLE stream contained therein, extracted using oledump, is flagged clean in VirusTotal. I don't understand what kind of content it is. VirusTotal say it is an MS Word Document, see: https://www.virustotal.com/#/file/ccc2bf780cbfec7d1ce66e1883f12c3bbe659a007b48b475b5a53a13e06d2db4/relations I only get: ale@pcale:~/tmp$ python oledump.py sample.xlsx A: xl/embeddings/oleObject1.bin A1: 1386 'eQuaTion nATIve' ale@pcale:~/tmp$ python oledump.py -s A1 -d sample.xlsx > streamA1_of_oleObject1.bin ale@pcale:~/tmp$ file !$ file streamA1_of_oleObject1.bin streamA1_of_oleObject1.bin: data So, what is the heuristic? If it contains an OLE object then it is evil? Best Ale _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
