ActiveMime
From Just Solve the File Format Problem
(Difference between revisions)
Ross-spencer (Talk | contribs) (Initial commit of the undocumented format from Microsoft using information on https://github.com/phishme) |
Dexvertbot (Talk | contribs) m (→Sample files) |
||
| (6 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | Documented by [https://github.com/phishme phishme] on GitHub, ActiveMime is an undocumented Microsoft file format often seen used to encode Microsoft Office Macros. | + | {{FormatInfo |
| + | |formattype=electronic | ||
| + | |subcat=Document | ||
| + | |extensions={{ext|mso}} | ||
| + | |mimetypes={{mimetype|application/x-mso}} | ||
| + | }} | ||
| + | Documented by [https://github.com/phishme phishme] on GitHub, '''ActiveMime''' is an undocumented Microsoft file format often seen used to encode [[Microsoft Office]] Macros. | ||
| − | ActiveMime binary objects may reside in Microsoft Web Archive ([ | + | ActiveMime binary objects may reside in Microsoft Web Archive ([[Ext:mht|MHT]]) files documented by [https://blog.cyren.com/articles/new-tricks-of-macro-malware.html Cyren]. |
There is little official documentation that can be searched for. The earliest references indexed by Google seem to come from [https://www.google.co.nz/search?q=%22activemime%22&safe=off&espv=2&biw=1920&bih=955&source=lnt&tbs=cdr%3A1%2Ccd_min%3A2012%2Ccd_max%3A2013&tbm= 2012] but not much earlier. | There is little official documentation that can be searched for. The earliest references indexed by Google seem to come from [https://www.google.co.nz/search?q=%22activemime%22&safe=off&espv=2&biw=1920&bih=955&source=lnt&tbs=cdr%3A1%2Ccd_min%3A2012%2Ccd_max%3A2013&tbm= 2012] but not much earlier. | ||
| Line 8: | Line 14: | ||
== Magic Number == | == Magic Number == | ||
| + | The structure is partially reversed engineered by phishme on GitHub. Once decoded from [[Base64]] the magic number of the format is: '''41 63 74 69 76 65 4d 69 6d 65 00 00''' - 'ActiveMime' + null terminators. | ||
| − | + | == Software == | |
| + | * [https://github.com/idiom/activemime-format activemime-format (extractor)] | ||
| − | == | + | == Sample files == |
| + | * {{DexvertSamples|archive/activeMime}} | ||
| + | == Other Links == | ||
* [https://github.com/phishme/python-amime/ Python Amime: Library for working with ActiveMime] | * [https://github.com/phishme/python-amime/ Python Amime: Library for working with ActiveMime] | ||
* [https://isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/ XML: A New Vector For An Old Trick] describing malware distribution with an ActiveMime binary payload | * [https://isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/ XML: A New Vector For An Old Trick] describing malware distribution with an ActiveMime binary payload | ||
| Line 20: | Line 30: | ||
* [https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/ Malicious Macros Evades Detection Using Unusual File Format] | * [https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/ Malicious Macros Evades Detection Using Unusual File Format] | ||
* [https://social.msdn.microsoft.com/Forums/office/en-US/fa6aa92a-ed56-4699-a0d4-3f42c077c602/question-about-base64-encoded-in-word-2003-xml-file?forum=worddev Early MSDN forum post asking about ActiveMime] | * [https://social.msdn.microsoft.com/Forums/office/en-US/fa6aa92a-ed56-4699-a0d4-3f42c077c602/question-about-base64-encoded-in-word-2003-xml-file?forum=worddev Early MSDN forum post asking about ActiveMime] | ||
| + | |||
| + | [[Category:Microsoft]] | ||
Latest revision as of 03:25, 28 December 2023
Documented by phishme on GitHub, ActiveMime is an undocumented Microsoft file format often seen used to encode Microsoft Office Macros.
ActiveMime binary objects may reside in Microsoft Web Archive (MHT) files documented by Cyren.
There is little official documentation that can be searched for. The earliest references indexed by Google seem to come from 2012 but not much earlier.
There is more information and a further call for collaboration or corrections on what is documented on the Pishme GitHub README.
Contents |
[edit] Magic Number
The structure is partially reversed engineered by phishme on GitHub. Once decoded from Base64 the magic number of the format is: 41 63 74 69 76 65 4d 69 6d 65 00 00 - 'ActiveMime' + null terminators.
[edit] Software
[edit] Sample files
[edit] Other Links
- Python Amime: Library for working with ActiveMime
- XML: A New Vector For An Old Trick describing malware distribution with an ActiveMime binary payload
- Evolution of Dridex
- Decalage Python code for extracting data from ActiveMime
- Cyren Article on ActiveMime
- Malicious Macros Evades Detection Using Unusual File Format
- Early MSDN forum post asking about ActiveMime
