https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511
Alessandro Vesely <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #3 from Alessandro Vesely <[email protected]> --- It doesn't catch this: https://www.virustotal.com/#/file/ccc2bf780cbfec7d1ce66e1883f12c3bbe659a007b48b475b5a53a13e06d2db4/detection Even if I override olemacro_macro_exts and olemacro_skip_exts —IMHO it's foolish to skip .xlsx. The suspect file it contains is named xl/embeddings/oleObject1.bin, which is not in %macrofiles. I don't understand how come it would be executed, because it is only referenced in xl/worksheets/_rels/sheet1.xml.rels and [Content_Types].xml, where the relationship and the content type are respectively: <Relationship Id="rId3" Target="../embeddings/oleObject1.bin" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"/> and <Override ContentType="application/vnd.openxmlformats-officedocument.oleObject" PartName="/xl/embeddings/oleObject1.bin"/> Perhaps it is broken. However, 30/58 VirusTotal filters catch it. 30/56 catch the oleObject1 alone, but not the same 30 (for example TrendMicro): https://www.virustotal.com/#/file/3d6a7816aa27c053c9ca247a520cee11d6eb360b6f90ca587a3a0916d7f2e65b/detection The object is an OLE container, as it starts with $marker1, but it doesn't contain $marker2. The only OLE stream extracted from oleObject1.bin is not detected by any filter (and I'm unable to tell what kind of data it is): https://www.virustotal.com/#/file/5f1a8f9850f96bf7f46f7eb76e5ff7092026ecdb190a33f76c5b6ba55aed4e63/detection What do you think? Googling around I found the main concern about Office 2007-2016 seems to be to allow xl/printerSettings/printerSettings1.bin, which is binary but not OLE. Would it be fine to flag Office files which contain _any_ other bin? -- You are receiving this mail because: You are the assignee for the bug.
