[SANS ISC] An XML-Obfuscated Office Document (CVE-2021-40444), (Wed, Sep 22nd)

A Twitter follower sent me a link to an interesting maldoc on Malware Bazaar (thanks).

It’s a Word document (OOXML) that exploits vulnerability %%CVE:2021-40444%%.

If you follow the steps of my diary entry “Simple Analysis Of A CVE-2021-40444 .docx Document” you will not find an unusual URL. I’ll explain why in this diary entry.

This is the content of the maldoc (using my tool zipdump.py):

Let’s look into the documents.xml.rels file:

Here you see many numeric character references in this XML file, like &#109. This particular numeric character reference represents the letter m (ASCII 109).

We can use my tool numbers-to-string.py to convert these numbers to their corresponding character, like this:

And then we see the URL.

My xmldump.py tool converts these numeric charcter references too, that is another method to deobfuscate:

Now, let’s come back to the output of zipdump:

Remark that the timestamps vary: some of them are 1980-01-01 00:00:00, and other are 2021-09-16.

When Office applications create an OOXML file, they do not encode the current time into the ZIP container’s records, they use 1980-01-01 00:00:00. While ZIP tools will use the current time.

So this maldoc has most likely been created with Word, and has then been edited with another tool. This might well be one of the maldoc generator tools that have been released for CVE-2021-40444.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[NCSC-FI News] Pääkirjoitus: Pankkipalveluiden häiriöihin tulee varautua

Venäjän Ukrainaan kohdistaman hyökkäyssodan seurauksena kyberhyökkäysten riski on kohonnut myös Suomessa Yhtenä niin sanotun hybridisodankäynnin muotona ovat kyberiskut kriittistä infrastruktuuria vastaan. Kriittistä infrastruktuuria ovat esimerkiksi sähkönjakelu, telekommunikaatio ja pankkitoiminnot. Source: Read More (NCSC-FI daily news followup)

Read More

[ESET] Howard University suffers cyberattack, suspends online classes in aftermath

All posts, ESET feed

The university suffered a ransomware attack, however there is no evidence so far of data being accessed or stolen. The post Howard University suffers cyberattack, suspends online classes in aftermath appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[BleepingComputer] Microsoft Defender ATP now secures removable storage, printers

Microsoft has added new removable storage device and printer controls to Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.