Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Phish or scam? - Part 2

Published: 2017-12-18
Last Updated: 2017-12-18 07:03:28 UTC
by Didier Stevens (Version: 1)
0 comment(s)

We continue the MSG analysis of yesterday.

There are several ways to take a look at the text contained in a Word .docx file without using MS Office.

Here we will look at the raw XML. The content of a Word file is stored in the following file:

As you can see, the text of the document is contained between XML tags. Filtering out these XML tags, for example with a regular expression and SED, reveals the text without any formatting:

But it can be harder to understand without any new lines. And sometimes, this method will strip away info you want to see.
That is why I wrote a simple tool in Python that reads XML and can extract various information: xmldump.py.
You can achieve the same result as with sed by using command xmldump.py text:

Command wordtext is like command text, but it looks for paragraphs (<w:p>) and inserts a newline after extracting the text of each paragraph:

 

From the content of the Word document, it's clear that this is a scam.
Just for the sake of trying to be thorough, I poked around a bit looking for exploits or feature abuse (like DDE), but found nothing.
 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc phish scam spam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Phish or scam? - Part 1
Dec 17th 2017
1 day ago by DidierStevens (3 comments)

Microsoft Office VBA Macro Obfuscation via Metadata
Dec 16th 2017
2 days ago by Xme (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
3 days ago by Russ McRee (2 comments)

Security Planner: Improve your online safety
Dec 14th 2017
4 days ago by Russ McRee (0 comments)

Tracking Newly Registered Domains
Dec 13th 2017
5 days ago by Xme (4 comments)

December Microsoft Patch Tuesday Summary
Dec 12th 2017
5 days ago by Johannes (0 comments)

Pornographic malspam pushes coin miner malware
Dec 11th 2017
1 week ago by Brad (3 comments)

View All Diaries →

Latest Discussions

StormCast RSS feed not supporting older SSL?
created Dec 15th 2017
3 days ago by Anonymous (0 replies)

Yara Sweeper
created Dec 13th 2017
5 days ago by Anonymous (0 replies)

KRACK Attack
created Dec 5th 2017
1 week ago by AMB (0 replies)

r w ere “ still very
created Dec 5th 2017
1 week ago by Anonymous (0 replies)

r w ere “ still very
created Dec 5th 2017
1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
5 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
4 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
3 days ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
3 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
4 months ago by Xme (2 comments)