Simple Analysis Of A CVE-2021-40444 .docx Document, (Sat, Sep 18th)

Analysing a malicious Word document like prod.docx that exploits %%cve:2021-40444%% is not difficult.

We need to find the malicious URL in this document. As I’ve shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that’s a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.

This can be done with my tools and

OOXML files contain a lot of legitimate URLs. Like These can be filtered out with my tool

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.