[Bro] Finer detail on mime types

Christian Kreibich christian at corelight.com
Tue Jul 11 00:25:44 PDT 2017


On 07/10/2017 11:33 PM, Christian Kreibich wrote:
> Once you know you're dealing with an OOXML archive, in my experience the
> following works well: take the presence of a vbaproject.bin file in the
> archive as a prerequisite for macro-enabledness, then leverage a
> .docm/.pptm/.xlsm filename suffix to distinguish application, and fall
> back to Word for others.

I forgot: the directory layout in such archives is also telling -- look 
for word/, xl/, ppt/ ...

It's been a while. :)

Cheers,
-C.


More information about the Bro mailing list