Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Wed, Sep 22nd):iOS 15 Private Relay; macOS Finder Vuln; vCenter Advisory; NetGear Circle Parental Control Vuln;

Latest Diaries

An XML-Obfuscated Office Document (CVE-2021-40444)

Published: 2021-09-22
Last Updated: 2021-09-22 06:34:17 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A Twitter follower sent me a link to an interesting maldoc on Malware Bazaar (thanks).

It's a Word document (OOXML) that exploits vulnerability CVE-2021-40444.

If you follow the steps of my diary entry "Simple Analysis Of A CVE-2021-40444 .docx Document" you will not find an unusual URL. I'll explain why in this diary entry.

This is the content of the maldoc (using my tool zipdump.py):

Let's look into the documents.xml.rels file:

Here you see many numeric character references in this XML file, like &#109. This particular numeric character reference represents the letter m (ASCII 109).

We can use my tool numbers-to-string.py to convert these numbers to their corresponding character, like this:

And then we see the URL.

My xmldump.py tool converts these numeric charcter references too, that is another method to deobfuscate:

Now, let's come back to the output of zipdump:

Remark that the timestamps vary: some of them are 1980-01-01 00:00:00, and other are 2021-09-16.

When Office applications create an OOXML file, they do not encode the current time into the ZIP container's records, they use 1980-01-01 00:00:00. While ZIP tools will use the current time.

So this maldoc has most likely been created with Word, and has then been edited with another tool. This might well be one of the maldoc generator tools that have been released for CVE-2021-40444.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: maldoc obfuscation
0 comment(s)
Join us at SANS! Attend with Didier Stevens in starting

If you have more information or corrections regarding our diary, please share.

Top of page

Recent Diaries

A First Look at Apple's iOS 15 "Private Relay" feature.
Sep 21st 2021
1 day ago by Johannes (0 comments)

#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports.
Sep 20th 2021
2 days ago by Johannes (0 comments)

Video: Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 19th 2021
3 days ago by DidierStevens (0 comments)

Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 18th 2021
3 days ago by DidierStevens (0 comments)

Malicious Calendar Subscriptions Are Back?
Sep 17th 2021
5 days ago by Xme (0 comments)

Phishing 101: why depend on one suspicious message subject when you can use many?
Sep 16th 2021
6 days ago by Jan (0 comments)

Hancitor campaign abusing Microsoft's OneDrive
Sep 15th 2021
6 days ago by Brad (0 comments)

View All Diaries →
Top of page

Latest Discussions

Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
4 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
6 months ago by astraea (0 replies)

View All Forums →
Top of page

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
2 months ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)