[SANS ISC] An XML-Obfuscated Office Document (CVE-2021-40444), (Wed, Sep 22nd)

A Twitter follower sent me a link to an interesting maldoc on Malware Bazaar (thanks).

It’s a Word document (OOXML) that exploits vulnerability %%CVE:2021-40444%%.

If you follow the steps of my diary entry “Simple Analysis Of A CVE-2021-40444 .docx Document” you will not find an unusual URL. I’ll explain why in this diary entry.

This is the content of the maldoc (using my tool zipdump.py):

Let’s look into the documents.xml.rels file:

Here you see many numeric character references in this XML file, like &#109. This particular numeric character reference represents the letter m (ASCII 109).

We can use my tool numbers-to-string.py to convert these numbers to their corresponding character, like this:

And then we see the URL.

My xmldump.py tool converts these numeric charcter references too, that is another method to deobfuscate:

Now, let’s come back to the output of zipdump:

Remark that the timestamps vary: some of them are 1980-01-01 00:00:00, and other are 2021-09-16.

When Office applications create an OOXML file, they do not encode the current time into the ZIP container’s records, they use 1980-01-01 00:00:00. While ZIP tools will use the current time.

So this maldoc has most likely been created with Word, and has then been edited with another tool. This might well be one of the maldoc generator tools that have been released for CVE-2021-40444.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ThreatPost] Black Hat: Novel DNS Hack Spills Confidential Corp Data

All posts, ThreatPost

Threatpost interviews Wiz CTO about a vulnerability recently patched by Amazon Route53’s DNS service and Google Cloud DNS. Source: Read More (Threatpost)

Read More

[SANS ISC] Do you Like Cookies? Some are for sale!, (Thu, Jun 24th)

All posts, Sans-ISC

Cookies… These small pieces of information are always with us. Since the GDPR was kicked off in Europe, we are flooded by pop-ups asking if we accept “cookies”. Honestly, most people don’t take time to read the warning and just accept the default settings. If cookies are useful for a website owner to track which […]

Read More

[ESET] Scams target families of missing persons, FBI warns

All posts, ESET feed

Con artists use social media to find and target victims for various nefarious ends, including to extort relatives of missing persons The post Scams target families of missing persons, FBI warns appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.