[SANS ISC] Simple Analysis Of A CVE-2021-40444 .docx Document, (Sat, Sep 18th)

Analysing a malicious Word document like prod.docx that exploits %%cve:2021-40444%% is not difficult.

We need to find the malicious URL in this document. As I’ve shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that’s a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.

This can be done with my tools zipdump.py and re-search.py:

OOXML files contain a lot of legitimate URLs. Like schemas.microsoft.com. These can be filtered out with my tool re-search.py:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] New MÄ“ris botnet breaks DDoS record with 21.8 million RPS attack

A new distributed denial-of-service (DDoS) botnet that kept growing over the summer has been hammering Russian internet giant Yandex for the past month, the attack peaking at the unprecedented rate of 21.8 million requests per second. […] Source: Read More (BleepingComputer)

Read More

[SANS ISC] ISC Stormcast For Wednesday, October 6th, 2021 https://isc.sans.edu/podcastdetail.html?id=7702, (Wed, Oct 6th)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

[SANS ISC] Are Cookie Banners a Waste of Time or a Complete Waste of Time?, (Thu, May 20th)

All posts, Sans-ISC

Legislation, in particular in the European Union, has led to a proliferation of “Cookie Banners.” Warning banners that either ask you for blanket permission to set cookies or, in some cases, provide you with some control as to what cookies you do allow. These regulations emerged after advertisers made excessive use of HTTP Cookies to […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.