I created a video for the analysis I described in my last diary entry “Simple Analysis Of A CVE-2021-40444 .docx Document“.
I also cover another sample in that video, that is a bit harder to analyze (and has much lower detection rates on VT).
Remark that I always make sure that you can find the samples I analyze on Malware Bazaar too.
And here is the InQuest blog post I mention in the video: “Microsoft MSHTML Remote Code Execution Vulnerability“.
The tools I use in this video: zipdump.py, re-search.py and xmldump.py.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: Read More (SANS Internet Storm Center, InfoCON: green)