You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These MHT files can be created from Word, using the format "Single File Web Page - .mht (MHTML)". The resulting file is a MIME container, similar to an e-mail. It contains several files as attachements, including the Word document in XML format.
By default, MHT files are opened by Internet Explorer, which does not run macros. But if the file is renamed to ".doc", it will be opened in Word and macros can run as if it was a normal Word document.
If VBA macros are present, they are attached as a binary file named "editdata.mso", encoded in Base 64. This looks very similar to the Word 2003 XML format, already supported by olevba.
It should then be straightforward to add support for MHT files with VBA macros.
Originally reported by: Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2)
Greg (from SpamStopsHere) reported several recent malicious samples using the MHT format (MIME HTML), running VBA macros when opened in Word:
These MHT files can be created from Word, using the format "Single File Web Page - .mht (MHTML)". The resulting file is a MIME container, similar to an e-mail. It contains several files as attachements, including the Word document in XML format.
By default, MHT files are opened by Internet Explorer, which does not run macros. But if the file is renamed to ".doc", it will be opened in Word and macros can run as if it was a normal Word document.
If VBA macros are present, they are attached as a binary file named "editdata.mso", encoded in Base 64. This looks very similar to the Word 2003 XML format, already supported by olevba.
It should then be straightforward to add support for MHT files with VBA macros.
The text was updated successfully, but these errors were encountered: