Mail::SpamAssassin::Plugin::OLEVBMacro(3) User Contributed Perl Documentation Mail::SpamAssassin::Plugin::OLEVBMacro(3)

Mail::SpamAssassin::Plugin::OLEVBMacro - search attached documents for evidence of containing an OLE Macro

loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
  body     OLEMACRO eval:check_olemacro()
  describe OLEMACRO Attachment has an Office Macro

  body     OLEMACRO_MALICE eval:check_olemacro_malice()
  describe OLEMACRO_MALICE Potentially malicious Office Macro

  body     OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
  describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted

  body     OLEMACRO_RENAME eval:check_olemacro_renamed()
  describe OLEMACRO_RENAME Has an Office doc that has been renamed

  body     OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
  describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip

  body     OLEMACRO_CSV eval:check_olemacro_csv()
  describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected

  body     OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
  describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
endif

This plugin detects OLE Macro inside documents attached to emails. It can detect documents inside zip files as well as encrypted documents.

This plugin requires Archive::Zip and IO::String perl modules.

The following options can be used in both site-wide ("local.cf") and user-specific ("user_prefs") configuration files to customize how the module handles attached documents
olemacro_num_mime (default: 5)
Configure the maximum number of matching MIME parts the plugin will scan
olemacro_num_zip (default: 8)
Configure the maximum number of matching zip members the plugin will scan
olemacro_zip_depth (default: 2)
Depth to recurse within Zip files
olemacro_extended_scan ( 0 | 1 ) (default: 0)
Scan more files for potential macros, the "olemacro_skip_exts" parameter will still be honored. This parameter is off by default, this option is needed only to run "eval:check_olemacro_renamed" rule. If this is turned on consider adjusting values for "olemacro_num_mime" and "olemacro_num_zip" and prepare for more CPU overhead
olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
Choose if the content-disposition header filename be preferred if ambiguity is encountered whilst trying to get filename
olemacro_max_file (default: 1024000)
Configure the largest file that the plugin will decode from the MIME objects
olemacro_exts (default: (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
Set the case-insensitive regexp used to configure the extensions the plugin targets for macro scanning
olemacro_macro_exts (default: (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
Set the case-insensitive regexp used to configure the extensions the plugin treats as containing a macro
olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
Set the case-insensitive regexp used to configure extensions for the plugin to skip entirely, these should only be guaranteed macro free files
olemacro_skip_ctypes (default: ^(?:text\/))
Set the case-insensitive regexp used to configure content types for the plugin to skip entirely, these should only be guaranteed macro free
olemacro_zips (default: (?:zip)$)
Set the case-insensitive regexp used to configure extensions for the plugin to target as zip files, files listed in configs above are also tested for zip
2021-05-24 perl v5.34.0