View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000459 | file | General | public | 2023-06-20 08:30 | 2023-07-17 16:56 |
| Reporter | Albrecht | Assigned To | christos | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | x86_64 | OS | Debian | OS Version | Bookworm |
| Product Version | 5.44 | ||||
| Summary | 0000459: HTML Malware classified incorrectly | ||||
| Description | Please see the attached HTML Malware (!!) sample; extract it from the ZIP using the password InFeCtEd. Note that the HTML is somewhat broken, but apparently being processed as HTML by Windows applications. The original file v. 5.44 tar produces (correctly IMHO; local build) $ src/file -m magic/magic.mgc Warning-Malware.html Warning-Malware.html: HTML document, ISO-8859 text, with very long lines (47206), with CRLF line terminators $ src/file -m magic/magic.mgc --mime-type /Warning-Malware.html Warning-Malware.html: text/html Debian Bookworm comes with a slightly patched version, including inter alia this one: https://github.com/file/file/commit/a2756aa50fdf7d87ebb14002ffd7609373ea6839, and produces $ file Warning-Malware.html Warning-Malware.html: JavaScript source, ISO-8859 text, with very long lines (47206), with CRLF line terminators $ file --mime-type Warning-Malware.html Warning-Malware.html: application/javascript And the current master revision (c577678, again local build) from https://github.com/file/file seems to be broken $ src/file -m magic/magic.mgc Warning-Malware.html Warning-Malware.html: , 1st line "" | ||||
| Steps To Reproduce | See above. | ||||
| Additional Information | It is somewhat debatable if in this particular case the classification as HTML (original v. 5.44) or JavaScript (commit a2756aa) should be preferred. However, as Windows apparently processes it as HTML, the former is IMHO better as it can be used to feed it into the proper malware analysis module. Note that the issue is not limited to this particular sample, I currently see a plethora of more or less similar malware files. I didn't test if the Win Script Host is even able to process this sample as JavaScript, though. | ||||
| Tags | bug, magic | ||||
|
|
|
|
|
Weird match. That was some debugging line probably. Now it says: [12:55pm] 1436>./file -m ../magic/Magdir/windows ~/Warning-Malware.html /Users/christos/Warning-Malware.html: ISO-8859 text, with very long lines (47206), with CRLF line terminators |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-06-20 08:30 | Albrecht | New Issue | |
| 2023-06-20 08:30 | Albrecht | Tag Attached: bug | |
| 2023-06-20 08:30 | Albrecht | Tag Attached: magic | |
| 2023-06-20 08:30 | Albrecht | File Added: Warning-Malware.zip | |
| 2023-07-17 16:56 | christos | Assigned To | => christos |
| 2023-07-17 16:56 | christos | Status | new => assigned |
| 2023-07-17 16:56 | christos | Status | assigned => resolved |
| 2023-07-17 16:56 | christos | Resolution | open => fixed |
| 2023-07-17 16:56 | christos | Note Added: 0003963 |
