Trustwave Unpacker Release Notes

Last Revision: June 03, 2022

The Unpacker module is used by Trustwave MailMarshal (SEG), Trustwave ECM, and WebMarshal. Updates are made available for recent versions through the Automatic Updates service. Each product release includes the current update of Unpacker.

For details of the Unpacker versions published for each product version, see Trustwave Knowledgebase article Q20446.

Note: File extensions are provided in this document for reference only. The Unpacker extracts files based on their structure as determined by Trustwave File Type, and not by the file name or extension.

New Features

For more information about additional minor features and bug fixes, see the release history.

Features new in 8.2.10

Features new in 8.2.8

Features new in 8.2.7

Features new in 8.2.6

Features new in 8.2.2

Features new in 8.1.1

Features new in 8.0.0

Features new in 2.4.2

Features new in 2.3.6

Features new in 2.3.5

Features new in 2.3.1

Features new in 2.3.0

Release History

The following items have been changed or updated in the specific build versions of Unpacker listed.

8.2.10 (June 03, 2022)

UNPACK-351 Unpacking of multi-part/related messages is more resilient to unexpected order of content headers.
UNPACK-355 Office 2007 document text unpacking in multi-threaded processing is more efficient.
UNPACK-356 URL extraction discarded all results if one invalid URL was found. Fixed.
UNPACK-358 Unpacking of encrypted/passworded archives is attempted using default passwords and likely passwords extracted from email message text. (Available with MailMarshal/SEG only.)
UNPACK-363 Unpacking of certain self extracting executables failed with ASN1 error due to encoding of an included certificate. Fixed.
UNPACK-365 MSI files are unpacked.

8.2.9 (October 4, 2021)

UNPACK-125 Office documents saved as XML are unpacked.
UNPACK-341 URL extraction (Shurlock) better handles quoted URLs in HTML message bodies.
UNPACK-345 VBA macros using a new extended specification were not unpacked. Fixed.
UNPACK-347 Deploy of an updated FileType DLL could be blocked because the old file was not fully released. Fixed.
UNPACK-348 URL extraction (Shurlock) used excessive processing time in some cases. Fixed.
UNPACK-349 URL extraction (Shurlock) maintains the case of extracted items.
UNPACK-350 Office 2007 unpacking stopped processing relationship links if one linked file did not exist. Fixed.

8.2.8 (July 7, 2021)

UNPACK-136 Message unpacking failed where a header name was quoted. Fixed.
UNPACK-205 BIFF12 unpacking is improved.
UNPACK-317 PDF unpacking is limited to 240 seconds by default.
UNPACK-323 Specific Outlook messages could cause the Engine to fail. Fixed.
UNPACK-324 Perfornance of the OCR unpacker is enhanced and extraction is time limited.
UNPACK-325 Certain Excel documents were not properly parsed where string type flags were missing or incorrectly interpreted. Fixed.
UNPACK-329 Large amounts of unwanted text could be unpacked from Excel 2007 documents due to some custom properties being treated as BIFF12 data. Fixed.
UNPACK-330 Additional components are unpacked by default (previously only unpacked when YAE script rules were enabled).
UNPACK-332 Licensing for an updated version of the PDF unpacker is included.

8.2.7 (March 22, 2021)

UNPACK-316 Text content can be extracted from images.

8.2.6 (October 6, 2020)

UNPACK-270 Unpacking of calendar backups with a large number of items could fail. Fixed.
UNPACK-276 Universal Disk Format (.UDF) files are unpacked.
UNPACK-277 Extraction of VBA macros from Publisher (.PUB) documents is improved.
UNPACK-281 Additional BIFF12 records are unpacked.
UNPACK-285 Unpacking speed is improved where many named sub-items are created.
UNPACK-286 BIFF8 records in Excel 4 (pre-2007) files are unpacked.
UNPACK-287 Additional BIFF12 records are unpacked from Excel 2007 files.
UNPACK-288 Macro script is unpacked from OLE format files including encrypted Excel 97-2003 files.
UNPACK-304 Updated licensing for the PDF unpacker is included.
UNPACK-312 Office documents with a specific format in the relationship files caused unpacking to fail. Fixed.

8.2.4 (February 4, 2020)

UNPACK-271 Images smaller than 70x70 pixels are not extracted from PDF documents by default. This option enhances performance when processing PDF documents containing very large numbers of inline images.

8.2.3 (October 22, 2019)

UNPACK-195 Handling of lines containing invalid characters within a Base64 section is improved.
UNPACK-216 Specific messages with a malformed multipart section were unpacked incorrectly without an error being reported. Fixed.
UNPACK-220 Specific XSLX files with binary metadata could cause a deadletter. Fixed.
UNPACK-221 Licensing for an updated version of the PDF unpacker is included.

8.2.2 (February 26, 2019)

UNPACK-206 Unpacking of BIFF12 data could fail when converting from Unicode to multibyte strings. Fixed.
UNPACK-207 ACE archives are not unpacked.

8.2.1 (January 24, 2019)

UNPACK-184 Certain RTF exploits now return unique Deadletter codes for improved granularity of processing.
UNPACK-189 The change in UNPACK-163 caused unwanted repacking of email bodies when headers were updated. This change has been reverted. To repack email parts, execute an external command for each part.
UNPACK-204 Unpacking of BIFF12 data could fail with an infinite loop. Fixed.

8.2.0 (December 6, 2018)

This release is provided in the installation package of SEG 8.2.0 and 8.2.1.

FT-127 Office 2007 content files are identified as XML.
UNPACK-186 Specific PPTX files could cause a deadletter. Fixed.

8.1.2 (August 14, 2018)

UNPACK-183 In release 8.1.1, the SEG Engine could stop unexpectedly while processing Office files. Fixed.

8.1.1 (July 10, 2018)

UNPACK-161 Excess information logged in debug mode has been removed.
UNPACK-163 External commands making changes to the parent message ("run only once") did not trigger repacking of the message. Fixed.
UNPACK-165 Empty data from large Office Binary documents is handled more efficiently.
UNPACK-167 Some embedded URIs were not extracted from PDF documents. Fixed.
UNPACK-173 Files unpacked from PDF documents now specify the "Temporary" file attribute.
UNPACK-175 Filenames of unpacked attachments use extensions found in the MIME headers, or extensions commonly used for the MIME type.
UNPACK-177 Text is extracted from additional locations in XPS documents.
UNPACK-179 Microsoft OneNote files are unpacked.

8.1.0 (June 27, 2018)

This release is identical in functionality to 8.0.3. It was provided for Trustwave SEG 8.1.0.

8.0.3 (April 26, 2018)

UNPACK-132 Unpacking failed for message attachments with very long file names. Fixed.
UNPACK-153 Certain Base64 encoded sections could cause the message to be deadlettered due to the length of the unpacking path. Fixed.

8.0.2 (December 5, 2017)

UNPACK-144 Office document unpacking now allows additional levels of relationship files.
UNPACK-145 Additional embedded Office document types are unpacked from OLE streams.

8.0.1 (October 4, 2017)

UNPACK-133 Extracted symbolic links could point to files that do not exist. Fixed: these links are excluded from the list of unpacked files.
UNPACK-134 EMFBlip files are extracted from RTF documents.
UNPACK-135 Message content-types were not correctly handled in some cases where no parameters were required.
UNPACK-138 MIME boundaries containing character set, language, and continuation tags are handled.
UNPACK-142 In earlier 64-bit unpacker releases, files with names containing Unicode characters were not correctly processed by the File Size function. Fixed.

8.0.0 (July 18, 2017)

UNPACK-54 Additional elements unpacked from Office 2007 documents are available for scanning.
UNPACK-115 Macros are extracted from encrypted Word documents.
UNPACK-120 Some Office 2003 and Office 2007 macros were not extracted where optional fields were not present. Fixed.
UNPACK-121 Unpacked files now specify the "Temporary" file attribute. Performance is enhanced.
UNPACK-126 URL targets that are HTTP/S or FTP/S links are extracted from Office documents and are available for scanning by other components.
UNPACK-129 Calls to external executables are fully quoted.

2.4.4 (April 11, 2017)

UNPACK-56 PDF extraction of RawStream objects has been optimized. Image objects are written in compressed format.
UNPACK-116 Base64 decoding has been improved when comments are present in the stream.

2.4.3 (March 28, 2017)

UNPACK-110 Malformed messages with no separator between the header and the body are deadlettered. These messages violate RFC standards and are generally not rendered by email clients.
UNPACK-111 Text in BIFF12 format within .XLSB files is extracted.
UNPACK-113 Office documents that contained malformed VBA macros could cause the Engine to stop. Fixed.
UNPACK-118 Office document schema detection is improved.

2.4.2 (December 15, 2016)

UNPACK-86 Macros are extracted from Office 2003 and Office 2007 documents.
UNPACK-94 When unpacking text from Word 2007 documents, drawing elements are no longer included.
UNPACK-96 When unpacking Office 2007 documents, files marked as XML are validated as text type before being parsed.
UNPACK-98 When unpacking Office 2007 documents, custom UI "extensibililty" files are not unpacked.
UNPACK-99 Decompression executables such as the 7zip unpacker can be replaced by the updater.
UNPACK-102 OLE objects could be incorrectly identified as Word documents and unpacking would fail. Fixed by an update to file type checking in File Type release 7.14.0.
UNPACK-103 MSO files that do not contain a compressed stream are not unpacked.
UNPACK-105 File names that included disallowed characters caused unpacking to fail. Fixed.

2.4.1 (June 9, 2016)

UNPACK-91 Extended unpacking of XLSX files failed when the index file referred to an object that did not exist in the archive. Fixed.
UNPACK-92 Word "attachedToolbars" parts are now ignored in unpacking.

2.4.0 (May 19, 2016)

UNPACK-90 Logging of file names containing certain characters caused the Engine to stop. Fixed.

2.3.9 (April 26, 2016)

UNPACK-89 Messages with blank lines in the headers were not correctly repacked in some cases. Fixed.

2.3.8 (April 5, 2016)

UNPACK-83 Processing an EMF file with a % character in the name caused the Engine to stop. Fixed.

2.3.7 (March 10, 2016)

UNPACK-82 An unpack error could occur when headers contained more than one blank folded line. Fixed.

2.3.6 (March 3, 2016)

UNPACK-75 S/MIME attachments were not included in attachment stripping actions. Fixed.
UNPACK-78 Binary items unpacked from a PDF file no longer contribute to the attachment stripping size limit calculations.
UNPACK-79 Compressed streams are extracted from ActiveMime (MSO) containers.
UNPACK-81 Some Base64 encoded attachments were not correctly unpacked. Fixed.

2.3.5 (February 4, 2016)

UNPACK-45 Microsoft compiled Help files (.CHM) are unpacked. Binary items unpacked from these files have the file type CHMBINOBJ.
UNPACK-47 Binary items unpacked from a PDF file no longer contribute to the unpacking size limit calculations.
UNPACK-70 URI actions are extracted from PDF files and can be scanned by TextCensor and URL Categorizer.

2.3.4 (December 8, 2015)

UNPACK-69 In Unpacker 2.3.2, a specific file caused a fault in TNEF unpacking. Fixed.
UNPACK-71 Naming of unique unpacked files is improved to avoid false detection of file extensions.
UNPACK-72 Additional ODTTF files are recognized.

2.3.2 (November 23, 2015)

UNPACK-68 Unpacker version 2.3.1 with SEG version 7.3.X caused deadlettering of messages that had a message stamp applied. Fixed.

2.3.1 (November 12, 2015)

UNPACK-61 The number of base64 attachments that can be unpacked has been greatly increased by better naming of unique unpacked files.
UNPACK-62 Some attachments within TNEF messages were not unpacked. Fixed.
UNPACK-63 Header and footer entries within Excel 2007 documents are unpacked.
UNPACK-64 Office 2007 unpacking did not handle named namespaces. Fixed.
UNPACK-65 Unpacking of ASN1 objects incorrectly checked for zero lengths in some identifiers. Fixed.
UNPACK-66 The number of OLE objects allowed before deadlettering is increased from 16000 to 64000.

2.3.0 (November 4, 2015)

UNPACK-25 PDF unpacking continues if an error occurs in unpacking one part.
UNPACK-50 PDF unpacking adds page separators.
UNPACK-53 PowerPoint 2007 Show files (PPSX) are unpacked.

2.1.5 and 2.2.0 (May 3, 2015)

UNPACK-49 Messages with embedded EMF files could be deadlettered due to incorrect unpacking of the containing RTF files.

2.1.4 (April 21, 2015)

UNPACK-44 ODTTF files are recognized in XPS documents.
UNPACK-46 RTF files with section formatting properties were deadlettered.

Changes prior to those listed were mentioned in the Trustwave SEG or Trustwave ECM Release Notes.

Legal Notice

Copyright © 2022 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave Fusion® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit