Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Simple Analysis Of A CVE-2021-40444 .docx Document SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Simple Analysis Of A CVE-2021-40444 .docx Document

Analyzing a malicious Word document like prod.docx that exploits CVE-2021-40444 is not difficult.

We need to find the malicious URL in this document. As I've shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that's a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.

This can be done with my tools and

OOXML files contain a lot of legitimate URLs. Like These can be filtered out with my tool

Didier Stevens
Senior handler
Microsoft MVP


597 Posts
ISC Handler
Sep 18th 2021

Sign Up for Free or Log In to start participating in the conversation!