Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Simple Analysis Of A CVE-2021-40444 .docx Document

Published: 2021-09-18
Last Updated: 2021-09-18 19:27:01 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Analyzing a malicious Word document like prod.docx that exploits CVE-2021-40444 is not difficult.

We need to find the malicious URL in this document. As I've shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that's a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.

This can be done with my tools zipdump.py and re-search.py:

OOXML files contain a lot of legitimate URLs. Like schemas.microsoft.com. These can be filtered out with my tool re-search.py:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: maldoc
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Malicious Calendar Subscriptions Are Back?
Sep 17th 2021
2 days ago by Xme (0 comments)

Phishing 101: why depend on one suspicious message subject when you can use many?
Sep 16th 2021
3 days ago by Jan (0 comments)

Hancitor campaign abusing Microsoft's OneDrive
Sep 15th 2021
3 days ago by Brad (0 comments)

Microsoft September 2021 Patch Tuesday
Sep 14th 2021
4 days ago by Renato (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
4 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
6 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 month ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)