CentOS - Oct 2015 - Detecting empty office doc containing virus macro

We are receiving LOTS of emails that contain empty XLS or DOC documents with 
embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and 
Kaspersky.

I'm trying to write a filter for EXIM to block these emails but I need to
know
a good, quick, command-line to detect an empty doc with a macro.

Is there anything available that I can use??

I have managed to write a PERL script to detect empty xls xlsx, doc and docx 
files but I cannot detect whether they have any macros embedded

Gary

On Wed, October 28, 2015 6:55 am, Gary Stainburn wrote:
> We are receiving LOTS of emails that contain empty XLS or DOC documents
> with
> embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and
> Kaspersky.
Just a word of advise to everybody: stay away from Kaspersky (unless you
want to submit to KGB). Do your own homework (web search, etc) and keep in
mind what everybody says: there is no retirement from secret services
(KGB, CIA, MI5, NSA, ...) other than dead, feet first dead.

I guess I see everywhere the confirmation of the saddest history lesson
that people never learn history lessons ;-(

Valeri
>
> I'm trying to write a filter for EXIM to block these emails but I need
to
> know
> a good, quick, command-line to detect an empty doc with a macro.
>
> Is there anything available that I can use??
>
> I have managed to write a PERL script to detect empty xls xlsx, doc and
> docx
> files but I cannot detect whether they have any macros embedded
>
> Gary
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Hi,

Take look of http://www.cuckoosandbox.org

--
Eero

2015-10-28 13:55 GMT+02:00 Gary Stainburn <gary at ringways.co.uk>:
> We are receiving LOTS of emails that contain empty XLS or DOC documents
> with
> embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and
> Kaspersky.
>
> I'm trying to write a filter for EXIM to block these emails but I need
to
> know
> a good, quick, command-line to detect an empty doc with a macro.
>
> Is there anything available that I can use??
>
> I have managed to write a PERL script to detect empty xls xlsx, doc and
> docx
> files but I cannot detect whether they have any macros embedded
>
> Gary
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

and https://github.com/xme/cuckoomx

--
Eero

2015-10-28 16:59 GMT+02:00 Eero Volotinen <eero.volotinen at iki.fi>:
> Hi,
>
> Take look of http://www.cuckoosandbox.org
>
> --
> Eero
>
> 2015-10-28 13:55 GMT+02:00 Gary Stainburn <gary at ringways.co.uk>:
>
>> We are receiving LOTS of emails that contain empty XLS or DOC documents
>> with
>> embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and
>> Kaspersky.
>>
>> I'm trying to write a filter for EXIM to block these emails but I
need to
>> know
>> a good, quick, command-line to detect an empty doc with a macro.
>>
>> Is there anything available that I can use??
>>
>> I have managed to write a PERL script to detect empty xls xlsx, doc and
>> docx
>> files but I cannot detect whether they have any macros embedded
>>
>> Gary
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
>

I've had a look at this and 

a) it looks a little like over-kill for what I want,
b) I haven't a clue how to use it in my EXIM environment
c) from the VERY quick look I've taken I don't see how to use it to
detect
macros in office documents.

I think I'm going to forget about the macros, and just assume that if the 
document is empty, it's a virus

On Wednesday 28 October 2015 14:59:32 Eero Volotinen
wrote:
> Hi,
>
> Take look of http://www.cuckoosandbox.org
>
> --
> Eero
>
> 2015-10-28 13:55 GMT+02:00 Gary Stainburn <gary at ringways.co.uk>:
> > We are receiving LOTS of emails that contain empty XLS or DOC
documents
> > with
> > embedded virus macros.  These are getting past SPAMASSASSIN, Clamav
and
> > Kaspersky.
> >
> > I'm trying to write a filter for EXIM to block these emails but I
need to
> > know
> > a good, quick, command-line to detect an empty doc with a macro.
> >
> > Is there anything available that I can use??
> >
> > I have managed to write a PERL script to detect empty xls xlsx, doc
and
> > docx
> > files but I cannot detect whether they have any macros embedded
> >
> > Gary
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos


-- 
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk

On 28/10/15 11:55, Gary Stainburn wrote:
> We are receiving LOTS of emails that contain empty XLS or DOC documents
with
> embedded virus macros.  These are getting past SPAMASSASSIN, Clamav and 
> Kaspersky.
> 
> I'm trying to write a filter for EXIM to block these emails but I need
to know
> a good, quick, command-line to detect an empty doc with a macro.
> 
> Is there anything available that I can use??
> 
> I have managed to write a PERL script to detect empty xls xlsx, doc and
docx
> files but I cannot detect whether they have any macros embedded
> 
> Gary
If you've got a script to detect empty docs then it should be relatively
easy to detect these. I assume empty attachments are not normal in your
mail flows?

I would look to write some custom SpamAssassin rules, maybe
incorporating your script, to detect these and filter them out.

Are you able to post some examples to pastebin?

On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> On 28/10/15 11:55, Gary Stainburn wrote:
> > We are receiving LOTS of emails that contain empty XLS or DOC
documents
> > with embedded virus macros.  These are getting past SPAMASSASSIN,
Clamav
> > and Kaspersky.
> >
> > I'm trying to write a filter for EXIM to block these emails but I
need to
> > know a good, quick, command-line to detect an empty doc with a macro.
> >
> > Is there anything available that I can use??
> >
> > I have managed to write a PERL script to detect empty xls xlsx, doc
and
> > docx files but I cannot detect whether they have any macros embedded
> >
> > Gary
>
> If you've got a script to detect empty docs then it should be
relatively
> easy to detect these. I assume empty attachments are not normal in your
> mail flows?
>
I have come to the conculsiion that I am just going to have to stick with 
detecting empty documents and forget the macro checks.
> I would look to write some custom SpamAssassin rules, maybe
> incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how 
to do this. All I have done in the past is add small pattern matching rules 
to local.cf

Another rule I would like to add to Spamassassin is to catch emails where the 
subject starts with the email local part in brackets as we get a LOT of those 
too.
>
> Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc
http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc