ActiveMime

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
m
(Category:Microsoft)
Line 5: Line 5:
 
|mimetypes={{mimetype|application/x-mso}}
 
|mimetypes={{mimetype|application/x-mso}}
 
}}
 
}}
Documented by [https://github.com/phishme phishme] on GitHub, ActiveMime is an undocumented Microsoft file format often seen used to encode [[Microsoft Office]] Macros.
+
Documented by [https://github.com/phishme phishme] on GitHub, '''ActiveMime''' is an undocumented Microsoft file format often seen used to encode [[Microsoft Office]] Macros.
  
 
ActiveMime binary objects may reside in Microsoft Web Archive ([[Ext:mht|MHT]]) files documented by [https://blog.cyren.com/articles/new-tricks-of-macro-malware.html Cyren].
 
ActiveMime binary objects may reside in Microsoft Web Archive ([[Ext:mht|MHT]]) files documented by [https://blog.cyren.com/articles/new-tricks-of-macro-malware.html Cyren].
Line 15: Line 15:
 
== Magic Number ==  
 
== Magic Number ==  
  
The structure is partially reversed engineered by phishme on GitHub. Once decoded from Base64 the magic number of the format is: '''41 63 74 69 76 65 4d 69 6d 65 00 00''' - 'ActiveMime' + null terminators.
+
The structure is partially reversed engineered by phishme on GitHub. Once decoded from [[Base64]] the magic number of the format is: '''41 63 74 69 76 65 4d 69 6d 65 00 00''' - 'ActiveMime' + null terminators.
  
 
== Other Links ==
 
== Other Links ==
Line 26: Line 26:
 
* [https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/ Malicious Macros Evades Detection Using Unusual File Format]
 
* [https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/ Malicious Macros Evades Detection Using Unusual File Format]
 
* [https://social.msdn.microsoft.com/Forums/office/en-US/fa6aa92a-ed56-4699-a0d4-3f42c077c602/question-about-base64-encoded-in-word-2003-xml-file?forum=worddev Early MSDN forum post asking about ActiveMime]
 
* [https://social.msdn.microsoft.com/Forums/office/en-US/fa6aa92a-ed56-4699-a0d4-3f42c077c602/question-about-base64-encoded-in-word-2003-xml-file?forum=worddev Early MSDN forum post asking about ActiveMime]
 +
 +
[[Category:Microsoft]]

Revision as of 18:48, 24 August 2016

File Format
Name ActiveMime
Ontology
Extension(s) .mso
MIME Type(s) application/x-mso

Documented by phishme on GitHub, ActiveMime is an undocumented Microsoft file format often seen used to encode Microsoft Office Macros.

ActiveMime binary objects may reside in Microsoft Web Archive (MHT) files documented by Cyren.

There is little official documentation that can be searched for. The earliest references indexed by Google seem to come from 2012 but not much earlier.

There is more information and a further call for collaboration or corrections on what is documented on the Pishme GitHub README.

Magic Number

The structure is partially reversed engineered by phishme on GitHub. Once decoded from Base64 the magic number of the format is: 41 63 74 69 76 65 4d 69 6d 65 00 00 - 'ActiveMime' + null terminators.

Other Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox