[Bro] Finer detail on mime types
christian at corelight.com
Tue Jul 11 00:25:44 PDT 2017
On 07/10/2017 11:33 PM, Christian Kreibich wrote:
> Once you know you're dealing with an OOXML archive, in my experience the
> following works well: take the presence of a vbaproject.bin file in the
> archive as a prerequisite for macro-enabledness, then leverage a
> .docm/.pptm/.xlsm filename suffix to distinguish application, and fall
> back to Word for others.
I forgot: the directory layout in such archives is also telling -- look
for word/, xl/, ppt/ ...
It's been a while. :)
More information about the Bro