Trustwave Unpacker Release Notes

Last Revision: September 20, 2023

The Unpacker module is used by Trustwave MailMarshal (SEG), Trustwave ECM, and WebMarshal. Updates are made available for recent versions through the Automatic Updates service. Each product release includes the current update of Unpacker.

For details of the Unpacker versions published for each product version, see Trustwave Knowledgebase article Q20446.

Note: File extensions are provided in this document for reference only. The Unpacker extracts files based on their structure as determined by Trustwave File Type, and not by the file name or extension.

New Features

For more information about additional minor features and bug fixes, see the release history.

Features new in 2023.03.01

Features new in 8.2.10

Features new in 8.2.8

Features new in 8.2.7

Features new in 8.2.6

Features new in 8.2.2

For earlier updates, see previous versions of Release Notes.

Release History

The following items have been changed or updated in the specific build versions of Unpacker listed.

2023.03.01 (September 20, 2023)

FT-281 RAR archives with only some files password encrypted are correctly detected and usable files are passed to the unpacker.
UNPACK-380 Unpacker release versions now are numbered by the calendar year and quarter.
UNPACK-383 Unpacking did not honor the content-disposition Attachment in specific cases. Fixed.
UNPACK-384 An updated version of the PDF unpacker is included.
UNPACK-387 Password extraction for encrypted archives could cause the MailMarshal Engine to stop unexpectedly. Fixed.

8.2.12 (March 28, 2023)

UNPACK-375 The unpacker configuration file generated by default enabled OCR functionality. Fixed: this functionality is disabled by default.

8.2.10 (September 28, 2022)

UNPACK-368 Searching of message body text for passwords (UNPACK-358) is limited to the first 10KB of text.

8.2.10 (June 27, 2022)

UNPACK-351 Unpacking of multi-part/related messages is more resilient to unexpected order of content headers.
UNPACK-355 Office 2007 document text unpacking in multi-threaded processing is more efficient.
UNPACK-356 URL extraction discarded all results if one invalid URL was found. Fixed.
UNPACK-358 Unpacking of encrypted/passworded archives is attempted using default passwords and likely passwords extracted from email message text. (Available with MailMarshal/SEG only.)
UNPACK-363 Unpacking of certain self extracting executables failed with ASN1 error due to encoding of an included certificate. Fixed.
UNPACK-365 MSI files are unpacked.

8.2.9 (October 4, 2021)

UNPACK-125 Office documents saved as XML are unpacked.
UNPACK-341 URL extraction (Shurlock) better handles quoted URLs in HTML message bodies.
UNPACK-345 VBA macros using a new extended specification were not unpacked. Fixed.
UNPACK-347 Deploy of an updated FileType DLL could be blocked because the old file was not fully released. Fixed.
UNPACK-348 URL extraction (Shurlock) used excessive processing time in some cases. Fixed.
UNPACK-349 URL extraction (Shurlock) maintains the case of extracted items.
UNPACK-350 Office 2007 unpacking stopped processing relationship links if one linked file did not exist. Fixed.

8.2.8 (July 7, 2021)

UNPACK-136 Message unpacking failed where a header name was quoted. Fixed.
UNPACK-205 BIFF12 unpacking is improved.
UNPACK-317 PDF unpacking is limited to 240 seconds by default.
UNPACK-323 Specific Outlook messages could cause the Engine to fail. Fixed.
UNPACK-324 Perfornance of the OCR unpacker is enhanced and extraction is time limited.
UNPACK-325 Certain Excel documents were not properly parsed where string type flags were missing or incorrectly interpreted. Fixed.
UNPACK-329 Large amounts of unwanted text could be unpacked from Excel 2007 documents due to some custom properties being treated as BIFF12 data. Fixed.
UNPACK-330 Additional components are unpacked by default (previously only unpacked when YAE script rules were enabled).
UNPACK-332 Licensing for an updated version of the PDF unpacker is included.

8.2.7 (March 22, 2021)

UNPACK-316 Text content can be extracted from images.

8.2.6 (October 6, 2020)

UNPACK-270 Unpacking of calendar backups with a large number of items could fail. Fixed.
UNPACK-276 Universal Disk Format (.UDF) files are unpacked.
UNPACK-277 Extraction of VBA macros from Publisher (.PUB) documents is improved.
UNPACK-281 Additional BIFF12 records are unpacked.
UNPACK-285 Unpacking speed is improved where many named sub-items are created.
UNPACK-286 BIFF8 records in Excel 4 (pre-2007) files are unpacked.
UNPACK-287 Additional BIFF12 records are unpacked from Excel 2007 files.
UNPACK-288 Macro script is unpacked from OLE format files including encrypted Excel 97-2003 files.
UNPACK-304 Updated licensing for the PDF unpacker is included.
UNPACK-312 Office documents with a specific format in the relationship files caused unpacking to fail. Fixed.

8.2.4 (February 4, 2020)

UNPACK-271 Images smaller than 70x70 pixels are not extracted from PDF documents by default. This option enhances performance when processing PDF documents containing very large numbers of inline images.

8.2.3 (October 22, 2019)

UNPACK-195 Handling of lines containing invalid characters within a Base64 section is improved.
UNPACK-216 Specific messages with a malformed multipart section were unpacked incorrectly without an error being reported. Fixed.
UNPACK-220 Specific XSLX files with binary metadata could cause a deadletter. Fixed.
UNPACK-221 Licensing for an updated version of the PDF unpacker is included.

8.2.2 (February 26, 2019)

UNPACK-206 Unpacking of BIFF12 data could fail when converting from Unicode to multibyte strings. Fixed.
UNPACK-207 ACE archives are not unpacked.

8.2.1 (January 24, 2019)

UNPACK-184 Certain RTF exploits now return unique Deadletter codes for improved granularity of processing.
UNPACK-189 The change in UNPACK-163 caused unwanted repacking of email bodies when headers were updated. This change has been reverted. To repack email parts, execute an external command for each part.
UNPACK-204 Unpacking of BIFF12 data could fail with an infinite loop. Fixed.

8.2.0 (December 6, 2018)

This release is provided in the installation package of SEG 8.2.0 and 8.2.1.

FT-127 Office 2007 content files are identified as XML.
UNPACK-186 Specific PPTX files could cause a deadletter. Fixed.

For earlier updates, see previous versions of Release Notes.

Legal Notice

Copyright © 2023 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave Fusion® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit