You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@spamassassin.apache.org by gb...@apache.org on 2020/02/10 14:33:45 UTC

svn commit: r1873859 - in /spamassassin: branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm

Author: gbechis
Date: Mon Feb 10 14:33:45 2020
New Revision: 1873859

URL: http://svn.apache.org/viewvc?rev=1873859&view=rev
Log:
one more OLEMacro marker

Modified:
    spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm

Modified: spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm?rev=1873859&r1=1873858&r2=1873859&view=diff
==============================================================================
--- spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm (original)
+++ spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm Mon Feb 10 14:33:45 2020
@@ -91,6 +91,8 @@ our $VERSION = '0.52';
 # http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
 my $marker1 = "\xd0\xcf\x11\xe0";
 my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
+# Office 2003 embedded ole
+my $marker2a = "\x01\x00\x4f\x00\x6c\x00\x65\x00\x31\x00\x30\x00\x4e\x00\x61\x00";
 # embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
 my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
 my $marker4 = "\x5c\x6f\x62\x6a\x64\x61\x74";
@@ -871,6 +873,11 @@ sub _check_markers {
     return 1;
   }
 
+  if (index($data, $marker1) == 0 && index($data, $marker2a) > -1) {
+    dbg('Marker 1 & 2a found');
+    return 1;
+  }
+
   if (index($data, $marker3) > -1) {
     dbg('Marker 3 found');
     return 1;

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm?rev=1873859&r1=1873858&r2=1873859&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm Mon Feb 10 14:33:45 2020
@@ -91,6 +91,8 @@ our $VERSION = '0.52';
 # http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
 my $marker1 = "\xd0\xcf\x11\xe0";
 my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
+# Office 2003 embedded ole
+my $marker2a = "\x01\x00\x4f\x00\x6c\x00\x65\x00\x31\x00\x30\x00\x4e\x00\x61\x00";
 # embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
 my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
 my $marker4 = "\x5c\x6f\x62\x6a\x64\x61\x74";
@@ -871,6 +873,11 @@ sub _check_markers {
     return 1;
   }
 
+  if (index($data, $marker1) == 0 && index($data, $marker2a) > -1) {
+    dbg('Marker 1 & 2a found');
+    return 1;
+  }
+
   if (index($data, $marker3) > -1) {
     dbg('Marker 3 found');
     return 1;