Analyzing E-mail .Msg files and Attachments without Outlook

I had a copy of an e-mail that had a virus in it that I wanted to analyze. The problem was that the Outlook e-mail message was in .msg format. My virtual machine that I was using to analyze malware was Windows XP based. The problem was that the included Outlook Express would not open the Outlook saved .msg file. And I did not want to install Outlook on the system.

So is there a way to read the file and recover the attachment without using Outlook?

Of course, like other Office file formats (like .docx) the .msg file is just zipped!

I tried several techniques to open the Outlook .msg file, even downloading an open source program that reads them. I could read the message but could not get to the attachment. And I needed the attachment so I could analyze it for malware. On a whim, I tried unzipping the .msg file, and it worked!

I am not sure why I didn’t try that earlier. I knew that you can unzip .docx files and get a lot of forensic information like who created the file and who modified it (This technique helped catch a collar bomber in Australia).

Sure enough unzipping the .msg file worked:

Suspicious mail unzipped

Navigating into the unzipped folder I saw this:

E-mail unzipped

A bunch of random file names and folders. But it would appear that there is a method to this madness. A quick search on the web netted an article from 2003 on decoding this cryptic .msg format. According to the article, “Each substg contains a piece of information. The first four of the eight digits at the end tells you what kind of information this is. (Property). The last four digits tells you the type (binary, ascii, unicode etc.)

Looking at the decoding chart we find the following information:

0x0C1A: Sender name
0x0C1F: Sender email
0x0E1D: Subject (normalized)
0x1000: Message body

Using this information opening the _substg1.0_0E1D001F file with a text editor and we see the subject line, “Cute Puppies!

And if we open the file containing the message body we find:

“Oh my goodness, you just have to check out these adorable puppies!!!
Just open and run the attached files.

Thanks,

Hacker Joe

Okay, someone named “Hacker Joe” wants us to open and run the attached file claiming it is about cute puppies. Yeah, this is definetly suspicious.

The “_recip” directories contain information about each recipient and the “_attach” directories contain the attachments. Bingo! Let’s take a look at the _recip directory:

Attached directory

Using the decode chart we see:

//Attachments (37xx):
0x3701: Attachment data		<- This is the binary attachment
0x3703: Attach extension
0x3704: Attach filename

Okay, if we used a text editor, we will find the attachment file name in 0x3704, it’s extension in 0x3703 and the actual file data in 3701. In this sample case, the whole filename was found in 3704:

CUTEPU~1.PNG

Okay, looks like a shortened DOS name, but we see that it is a PNG file. This may or not be true. If you thought the file was truly malicious, you could take the 3701 file (the binary data) and upload it to a site like Virustotal.com to have it scanned as we did here:

VirusTotal

The attachment was scanned with 46 different anti-virus programs and nothing malicious was found. It could still be malicious, but the chances are lower now. Let’s take a look at the actual file (3701) with a text editor.

Binary attachment data

Okay, notice the %PNG right at the beginning. This pretty much tells us that the file is indeed a .PNG or a graphic image. If we renamed the file and gave it a .png extension, it should open up and show us the image.

NOTE: this is a test file on a sandboxed virtual machine in a test analysis environment. Never open a suspicious attachment on a live, unprotected system!

Renaming the file to suspicious.png Windows now recognizes it as a picture. And if I open this file I see:

Cute Puppies

Well, would you look at that, Cute Puppies!

In our fake example, the e-mail from “Hacker Joe” was indeed just cute puppies. Again this was just a test example, the real suspicious email in question was very craftfully worded and the attachment was a newer Backdoor Trojan that only 2 AV engines detected on VirusTotal.

In this article we learned how to open and view saved Outlook e-mails without actually having Outlook. We really didn’t cover Malware Analysis which is a very interesting field. Want to learn how to dissect malware like a pro? Check out the highly recommended book Practical Malware Analysis.

About these ads

~ by D. Dieterle on December 15, 2012.

7 Responses to “Analyzing E-mail .Msg files and Attachments without Outlook”

  1. Reblogged this on lava kafle kathmandu nepal.

  2. Unfortunately I’m not getting the same results. Using WinRAR to try and extract an Outlook 2007 .msg from Exchange 2010 backbone. Getting the message the file is damaged therefore cannot be extracted :(

  3. [...] I had a copy of an e-mail that had a virus in it that I wanted to analyze. The problem was that the Outlook e-mail message was in .msg format. My virtual machine that I was using to analyze malware…  [...]

  4. [...] I had a copy of an e-mail that had a virus in it that I wanted to analyze. The problem was that the Outlook e-mail message was in .msg format. My virtual machine that I was using to analyze malware…  [...]

  5. [...] See on cyberarms.wordpress.com [...]

  6. Reblogged this on CodeSlayer2010 : Slaying Code 24×7!.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 285 other followers

%d bloggers like this: