lessmsi
Release v2.12.5 · activescott/lessmsi
orca.exe
Orca.exe - Win32 apps | Microsoft Learn
# identify file type
file suspicious.msi
# basic metadata (Windows)
Get-Item suspicious.msi | Select-Object *
# extract all files (fast)
lessmsi x suspicious.msi out\
# list MSI tables (Linux)
msiinfo tables suspicious.msi
# dump critical tables
msiinfo export suspicious.msi CustomAction
msiinfo export suspicious.msi InstallExecuteSequence
msiinfo export suspicious.msi Binary
msiinfo export suspicious.msi Property
# quick strings for execution / URLs
strings suspicious.msi | findstr /i "powershell cmd rundll32 http"
# hash extracted payload
Get-FileHash out\payload.bin -Algorithm SHA256
# inspect magic bytes
Format-Hex out\payload.bin -Count 16
# expected headers:
# MSI = D0 CF 11 E0 (OLE Compound File)
# EXE = 4D 5A
# ZIP = 50 4B
# hunt for execution commands
strings suspicious.msi | findstr /i "powershell"
strings suspicious.msi | findstr /i "cmd.exe"
strings suspicious.msi | findstr /i "rundll32"
strings suspicious.msi | findstr /i "msiexec"
# hunt for URLs / C2
strings suspicious.msi | findstr /i "http"
# safe workflow:
# file -> lessmsi -> tables (CustomAction) -> extract Binary -> analyze payload
Findings Severity
| Finding | Severity |
|---|
| CustomAction execution | Critical |
| Embedded executable (Binary) | Critical |
| PowerShell execution | Critical |
| rundll32 / cmd execution | High |
| External URL / download | High |
| Obfuscated script | Very High |
| Suspicious InstallExecuteSequence | High |
Check Tables
lessmsi.exe l -t <TABLE> .\<TARGET.MSI>
Critical Tables
| Table | Purpose | What to Look For | Severity | |
|---|
| CustomAction | Execution logic | powershell, cmd, rundll32, DLL calls | 🔴 Critical | |
| Binary | Embedded payloads | EXE, DLL, shellcode blobs | 🔴 Critical | |
| InstallExecuteSequence | Execution order | WHEN malicious action runs | 🔴 Critical | |
| InstallUISequence | UI-triggered execution | Same as above but UI-based | 🔴 Critical | |
Supporting Tables
| Table | Purpose | What to Look For | Severity |
|---|
| File | Files dropped to disk | EXE, DLL, scripts | 🟠 High |
| Component | Links files to install logic | suspicious components | 🟠 High |
| Feature | Logical grouping | rarely malicious itself | 🟡 Medium |
| Property | Metadata / config | URLs, flags, strange values | 🟡 Medium |
| Directory | File paths | suspicious install paths | 🟡 Medium |
CustomAction Types
| Type | Meaning |
|---|
| 1 | DLL from Binary table |
| 2 | EXE from file system |
| 18 | EXE from property |
| 50 | EXE (formatted string) |
| 34 | VBScript |
| 38 | JScript |
| 226 | PowerShell / script execution |
| 3073+ | Binary stream execution (common in malware) |
Suspicious Patterns:
- Small MSI with embedded payload
- CustomAction invoking:
powershellcmd.exerundll32- Binary table containing EXE/DLL
- Silent install flags (
/quiet, /qn)
- External download URLs
- MSI used as dropper/loader
- Non-standard or missing metadata
- Large Binary table blobs
