Analyzing a malicious Word document like prod.docx that exploits CVE-2021-40444 is not difficult. We need to find the malicious URL in this document. As I've shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that's a ZIP container with (mostly) XML files) and use a regular expression to search for URLs. This can be done with my tools zipdump.py and re-search.py: OOXML files contain a lot of legitimate URLs. Like schemas.microsoft.com. These can be filtered out with my tool re-search.py: Didier Stevens |
DidierStevens 639 Posts ISC Handler Sep 18th 2021 |
Thread locked Subscribe |
Sep 18th 2021 8 months ago |
Sign Up for Free or Log In to start participating in the conversation!