magika icon indicating copy to clipboard operation
magika copied to clipboard
verified publisher icon google

[NEW CONTENT TYPE REQUEST] Microsoft SYLK - .slk

Open hegga opened this issue 1 year ago • 0 comments

What type of file would you like magika to detect?

  • Microsoft Symbolic Link (SYLK, .slk)

What software can create/open these files?

Where can these files be found?

  • The file format is today mostly used to spread malware, usually distributed via e-mail.

If possible, please provide a specification for this file type.

  • "Microsoft has never published a SYLK specification. Variants of the format are supported by Multiplan, Microsoft Excel, Microsoft Works, OpenOffice.org, LibreOffice and Gnumeric. The format was introduced in the 1980s and has not evolved since 1986"
  • https://en.wikipedia.org/wiki/Symbolic_Link_(SYLK)
  • https://netghost.narod.ru/gff/graphics/summary/micsylk.htm
  • https://outflank.nl/upload/sylksum.txt
  • https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/

Additional context "SYLK is known to cause security issues, as it allows an attacker to run arbitrary code, offers the opportunity to disguise the attack vector under the benign-looking appearance of a CSV file, and is still enabled by default on recent (2016) versions of Microsoft Excel."

Example SYLK file:

ID;PWXL;N;E
P;PGeneral
P;P0
P;P0.00
P;P#,##0
P;P#,##0.00
P;P#,##0;;\-#,##0
P;P#,##0;;[Red]\-#,##0
P;P#,##0.00;;\-#,##0.00
P;P#,##0.00;;[Red]\-#,##0.00
P;P"$"#,##0;;\-"$"#,##0
P;P"$"#,##0;;[Red]\-"$"#,##0
P;P"$"#,##0.00;;\-"$"#,##0.00
P;P"$"#,##0.00;;[Red]\-"$"#,##0.00
P;P0%
P;P0.00%
P;P0.00E+00
P;P##0.0E+0
P;P#\ ?/?
P;P#\ ??/??
P;Pd/mm/yyyy
P;Pd\-mmm\-yy
P;Pd\-mmm
P;Pmmm\-yy
P;Ph:mm\ AM/PM
P;Ph:mm:ss\ AM/PM
P;Ph:mm
P;Ph:mm:ss
P;Pd/mm/yyyy\ h:mm
P;Pmm:ss
P;Pmm:ss.0
P;P@
P;P[h]:mm:ss
P;P_-"$"* #,##0_-;;\-"$"* #,##0_-;;_-"$"* "-"_-;;_-@_-
P;P_-* #,##0_-;;\-* #,##0_-;;_-* "-"_-;;_-@_-
P;P_-"$"* #,##0.00_-;;\-"$"* #,##0.00_-;;_-"$"* "-"??_-;;_-@_-
P;P_-* #,##0.00_-;;\-* #,##0.00_-;;_-* "-"??_-;;_-@_-
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;ECalibri;M220;L9
P;ECalibri Light;M360;L55
P;ECalibri;M300;SB;L55
P;ECalibri;M260;SB;L55
P;ECalibri;M220;SB;L55
P;ECalibri;M220;L18
P;ECalibri;M220;L21
P;ECalibri;M220;L61
P;ECalibri;M220;L63
P;ECalibri;M220;SB;L64
P;ECalibri;M220;SB;L53
P;ECalibri;M220;L53
P;ECalibri;M220;SB;L10
P;ECalibri;M220;L11
P;ECalibri;M220;SI;L24
P;ECalibri;M220;SB;L9
P;ECalibri;M220;L10
P;ESegoe UI;M200;L9
F;P0;DG0G8;E;M300
B;Y53;X9;D46 8 52 8
O;E;D;V0;K47;G100 0.001
F;W1 1 52
F;W9 9 0
NN;NESC$1UTo_OpESC$5N;ER47C9
C;Y47;X9;K;EALERT("HELP cannot be found")
C;Y48;X9;K;EHALT()
E

Magika currently identifies SYLK files as CSV files:

MagikaResult(path='-', dl=ModelOutputFields(ct_label='csv', score=0.9745758175849915, group='code', mime_type='text/csv', magic='CSV text', description='CSV document'), output=MagikaOutputFields(ct_label='csv', score=0.9745758175849915, group='code', mime_type='text/csv', magic='CSV text', description='CSV document'))

hegga avatar Mar 07 '24 15:03 hegga