View Issue Details

IDProjectCategoryView StatusLast Update
0000129fileGeneralpublic2020-01-17 17:40
ReporterFabian Assigned Tochristos  
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Fixed in Version5.39 
Summary0000129: Classification of SYLK Files
DescriptionSYLK is an old Microsoft file format for spread sheets [1]. It recently got some attention as it can be used to weaponise documents as it can run macros [2].

It would be great to be able to classify SYLK documents with libmagic. This could be used to filter SYLK documents by true content.

Information about the file format can be found on [3]. Summary:
* SYLK files contain line-based operations which each start on a new line
* Start with "ID". Possibly followed by ";P" but that is not mandatory.
* Macros are enabled with the "O;E" operation. They are also enabled in combination with other options like "O;P;E".
* Macros can be automatically executed with auto_open string.
* The operations like "ID" "O;E" are case-sensitive. "auto_open" is case insensitive.

Do you support adding SYLK classification to Libmagic?

Just basing the classification on a file starting with "ID" may cause false positives. The classification could be made more precise by also checking whether support for macros is enabled. This would mean the classification is not for SYLK files, but SYLK files with macros.

Two test files have been attached.

[1] https://en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK)
[2] https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/
[3] https://outflank.nl/upload/sylksum.txt
Tagsmagic

Activities

Fabian

2020-01-10 16:26

reporter  

sylk_test.slk (101 bytes)

christos

2020-01-17 17:40

manager   ~0003344

Added, thanks!

Issue History

Date Modified Username Field Change
2020-01-10 16:26 Fabian New Issue
2020-01-10 16:26 Fabian File Added: sylk_test.slk
2020-01-10 16:26 Fabian File Added: sylk_test_obfuscated.slk
2020-01-10 16:26 Fabian Tag Attached: magic
2020-01-17 17:40 christos Assigned To => christos
2020-01-17 17:40 christos Status new => assigned
2020-01-17 17:40 christos Status assigned => resolved
2020-01-17 17:40 christos Resolution open => fixed
2020-01-17 17:40 christos Fixed in Version => 5.39
2020-01-17 17:40 christos Note Added: 0003344