[clamav-users] How do heuristics block MS Office xml OLE blobs?

Alessandro Vesely vesely at tana.it
Thu Nov 15 18:29:54 UTC 2018


Hi all,

I'm trying to block Office files which contain executable stuff.  Decalage's mraptor works fine, except it doesn't cover Office 2007 and similar.  Those have 4-char extensions, like xlsx (Xml), xlsm (Macro), xlsb (Binary), and many more.  For a tentative list, see e.g.:
https://kb.intermedia.net/Article/23567

They are zip containers, possibly containing xml and other files.  Most often, they contain a file named printerSettings1.bin.  An xlsx I got also contains a file named oleObject1.bin.  Kaspersky flags it as HEUR:Exploit.MSOffice.Generic, see:
https://www.virustotal.com/#/file/3d6a7816aa27c053c9ca247a520cee11d6eb360b6f90ca587a3a0916d7f2e65b/detection

The whole xlsx file is detected similarly.  However, the content of the only OLE stream contained therein, extracted using oledump, is flagged clean in VirusTotal.  I don't understand what kind of content it is.  VirusTotal say it is an MS Word Document, see:
https://www.virustotal.com/#/file/ccc2bf780cbfec7d1ce66e1883f12c3bbe659a007b48b475b5a53a13e06d2db4/relations

I only get:

ale at pcale:~/tmp$ python oledump.py sample.xlsx 
A: xl/embeddings/oleObject1.bin
 A1:      1386 'eQuaTion nATIve'

ale at pcale:~/tmp$ python oledump.py -s A1 -d  sample.xlsx > streamA1_of_oleObject1.bin
ale at pcale:~/tmp$ file !$
file streamA1_of_oleObject1.bin
streamA1_of_oleObject1.bin: data

So, what is the heuristic?  If it contains an OLE object then it is evil?


Best
Ale




More information about the clamav-users mailing list