https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511

Kevin A. McGrail <***@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@paclan.it,
| |***@apache.org,
| |***@gmail.com
Target Milestone|Undefined |3.4.3
Severity|normal |enhancement

--- Comment #1 from Kevin A. McGrail <***@apache.org> ---
Paul Stead also has a plug for this:
https://github.com/fmbla/spamassassin-olemacro/

Perhaps you can work on something from the best of both and let's get it
submitted.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511

Giovanni Bechis <***@paclan.it> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED

--- Comment #2 from Giovanni Bechis <***@paclan.it> ---
Committed Paul Stead plugin with some tweaks in r1846884.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511

Alessandro Vesely <***@tana.it> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@tana.it

--- Comment #3 from Alessandro Vesely <***@tana.it> ---
It doesn't catch this:

https://www.virustotal.com/#/file/ccc2bf780cbfec7d1ce66e1883f12c3bbe659a007b48b475b5a53a13e06d2db4/detection

Even if I override olemacro_macro_exts and olemacro_skip_exts —IMHO it's
foolish to skip .xlsx.

The suspect file it contains is named xl/embeddings/oleObject1.bin, which is
not in %macrofiles. I don't understand how come it would be executed, because
it is only referenced in xl/worksheets/_rels/sheet1.xml.rels and
[Content_Types].xml, where the relationship and the content type are
respectively:

<Relationship Id="rId3" Target="../embeddings/oleObject1.bin"
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"/>

and

<Override ContentType="application/vnd.openxmlformats-officedocument.oleObject"
PartName="/xl/embeddings/oleObject1.bin"/>

Perhaps it is broken. However, 30/58 VirusTotal filters catch it. 30/56 catch
the oleObject1 alone, but not the same 30 (for example TrendMicro):
https://www.virustotal.com/#/file/3d6a7816aa27c053c9ca247a520cee11d6eb360b6f90ca587a3a0916d7f2e65b/detection

The object is an OLE container, as it starts with $marker1, but it doesn't
contain $marker2. The only OLE stream extracted from oleObject1.bin is not
detected by any filter (and I'm unable to tell what kind of data it is):
https://www.virustotal.com/#/file/5f1a8f9850f96bf7f46f7eb76e5ff7092026ecdb190a33f76c5b6ba55aed4e63/detection

What do you think? Googling around I found the main concern about Office
2007-2016 seems to be to allow xl/printerSettings/printerSettings1.bin, which
is binary but not OLE. Would it be fine to flag Office files which contain
_any_ other bin?

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511

--- Comment #4 from Giovanni Bechis <***@paclan.it> ---
do you have same samples of those emails/files to send me privately ?
I would like to understand better how to differentiate between macro and
macro_malice in these cases.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511

--- Comment #5 from Alessandro Vesely <***@tana.it> ---
Hi Giovanni,

sorry for the delay... These days I can't manage :-(

I temporarily parked a sample here:
http://www.tana.it/VIRUS.asis

I don't know how effective this is, I never tried to launch it on a Windows
box.

Best
Ale