A reader asked about bulk extraction of email attachments with emldump.py
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
If you want to extract all attachments and write them to disk, you can use the following command:
emldump.py --jsonoutput sample.eml | myjson-filter.py -W hashvirThis command will produce a MyJSON data structure will the content and metadata of all parts (not only attachments, also the different bodies) and save the parts to disk with filenames formatted as the sha256 hash of the content and the extension .vir.
You can then run the desired analysis commands on the files written to disk.
But you can also run a command directly on the items, without writing them to disk. Here is an example of such a command:
emldump.py --jsonoutput sample.eml | myjson-filter.py -r "cmd.exe /c oledump.py"This command will start a oledump.py command for each part in the multipart document, and provide the content of each part via stdout.
Article Link: Quickpost: emldump Bulk Extraction | Didier Stevens