File parsers

Malcat makes use of the 40+ python files parsers located in data/filetypes in order to recognize the current file type and highlight all of its internal structures. Using python reduces the attack surface for bad parsing (file formats are tricky) and significantly speeds up the development of new file parsers (you can test everything live, just hit Ctrl+R ). This comes with a small performance penalty of course, but in practice it is negligible, provided some basic guideline are followed.

How parsing is done

Coming soon

File carving

Coming soon

Supported file formats

Malcat focuses mainly on file formats used directly or indirectly by malware authors. Adding a new filetype is easy. Please refer to Adding support for new file types. If you wish to make your new file format official, please refer to Contributing.

Programs

Here you can find the current list of supported executable formats:

Name

Structure parsing

Debug infos

Resources

Notes

AutoIT

3.26+ only

Scripts can be decompiled using F4

COFF

Yes

symbols and cv13

relocations, symbols, imports

ELF

Yes

symbols, no DWARF

relocations, symbols, imports, big and little endian

InnoSetup

Yes

Yes

setup script can be disassembled

LNK

Yes

while not a program format per se, it can be used to run commands

MDMP

Partial

No

Windows minidumps, partial support

NSIS

Yes

Yes

setup script can be disassembled, most sections parsed

OLE

Yes

VBA macros can be displayed using F4

PE/PE+

Yes

debug dir, no PDB

Yes

exports, imports (+ bound/delay), relocations, tls, debug,

load config, certificates, version informations

PE::DotNet

Yes

Yes

Yes

types, methods, resources, exceptions, strings

PE::Golang

Yes

pcln + file tables

PE::VB

Yes

types and events

VB forms

native and PCode support, project infos, objects array, forms and events

PYC

Yes

Yes

support for python 2.7+ and 3.6+, can handle PY2EXE and PYINST scripts

VBE

Yes

Malcat supports unpacking the original VBS script

XLS

Yes

The /Workbook stream inside OLE containers.

Cell informations (including formulas) can be recovered using F4

XLSB

Yes

The .bin files inside OpenXML .xlsb containers.

Cell informations (including formulas) can be recovered using F4

Structures parsing:

if the file format parser identifies (most of) the binary structures of the file format

Debug informations:

if debug informations are parsed

Resources:

if the program embeds resource, can Malcat identify and extract them?

Archives / file systems / databases

While Malcat has no pretension of being a full-fledged archive opener, it supports most archive types used by malware. Some file format parsers are more advanced than others and even allow the user to open archive member directly inside Malcat. Here is a list of supported file formats:

Name

Structure parsing

In-app unpacking

Summary

Notes

7Z

EncodedHeader only

No

No

ACE

Yes

Yes

Yes

AR

Yes

Yes

Yes

Used in static libraries (.lib, .a)

AutoIt

3.26+ only

3.26+ only

Yes

Scripts can be decompiled using F4

CAB

Yes

zlib encoding only

Yes

CFB/OLE2

Yes

Yes

Yes

VBA macros can be displayed using F4

FAT12/16/32

Yes

Yes

Yes

Currently limited to small to medium files trees

GZIP

Yes

Yes

Yes

InnoSetup

Yes

Yes

Yes

Support from InnoSetup 4.1.0 and onward, encryption support

ISO

Yes

Yes

Yes

No Juliet/RockRidge extensions support

JFFS2

Yes

lzo/lzma/rtime/zlib only

Yes

MSI

Yes

Yes

Yes

MSI tables can be displayed using F4

NSIS

Yes

zlib and lzma, no bz2

Yes

PYINST

Yes

Yes

Yes

Extracted python scripts get their python header restored

PYZ

Yes

Yes

Yes

Extracted python scripts get their python header restored

RAR4

Yes

No

Yes

Archives comments are shown for easy SFX analysis

RAR5

Yes

No

Yes

Archives comments are shown for easy SFX analysis

SquashFS

Yes

lzo/lzma/xz only

Yes

Can also display meta streams

Sqlite

Partial

Not yet

No

Work in progress

TAR

Yes

Yes

Yes

UDF

Yes

Yes

Yes

UImage

Yes

lzo/lzma/gzip/bzip2 only

Yes

VHD

Yes

Yes

Yes

Support for dynamic disks

ZIP

Yes

Yes

Yes

ZLIB stream

Yes

Yes

Yes

Structures parsing:

if the file format parser identifies (most of) the binary structures of the file format

In-application unpacking:

if the file format parser can directly extract and open archive members. Inside Malcat, one can then open a file by double-clicking them inside the Virtual File System tab.

Summary:

if Malcat displays a summary report in the Summary view

Multimedia / documents

Document/pictures identification is very useful for malware analysis. A lot of obfuscators love to disguise their payloads as multimedia files. Or hide it inside a multimedia file, in some unused space.

Name

Structure parsing

Metadata

Notes

BMP

Yes

Both BMP and DIB (i.e BMP without FileHeader) are supported

DOC

Partial (FCB)

Yes

The /WordDocument stream inside OLE containers

EMF

Yes

Yes

Used in office documents

GIF

Yes

Yes

ICO

Yes

JPEG

Yes

Tiff

ONE

Yes

No

Microsoft OneNote files. You can list and open embedded file objects

OOXML

No

No

Well it’s a ZIP, so you can browse it inside Malcat

PDF

Minimal

No

Very minimal support since not really a binary format

PNG

Yes

Yes

Pixel information can be extracted using scripts

WAV

Basic

No

XLS

Yes

Yes

Cell content + formula can be displayed using F4

XLSB

Yes

Yes

Cell content + formula can be displayed using F4

Structures parsing:

if the file format parser identifies (most of) the binary structures of the file format

Metadata:

if most metadata (author, comments, time, etc.) are extracted

Adding support for new file types

Coming soon