Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Simple Analysis Of A CVE-2021-40444 .docx Document

Published: 2021-09-18
Last Updated: 2021-09-18 19:27:01 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Analyzing a malicious Word document like prod.docx that exploits CVE-2021-40444 is not difficult.

We need to find the malicious URL in this document. As I've shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that's a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.

This can be done with my tools zipdump.py and re-search.py:

OOXML files contain a lot of legitimate URLs. Like schemas.microsoft.com. These can be filtered out with my tool re-search.py:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: maldoc
0 comment(s)
Diary Archives