 Hello, Didier Stevens here, Senior Handler at the InternetStorm Center. In my recent diary entries, I wrote about CVE-2021-40444, so that's a recent MSHDML vulnerability on how to analyze documents that contain that exploit. It involves just dumping the content of the zip file and searching for URLs. Now, that doesn't always work, and I also made a video on this analysis, and there was a comment asking if I would edit my tool, so REsearch, so that it includes regular expression for these vulnerability, these exploits for that vulnerability, so the URL that for example contains MSHDML or XUSC. Now, I'm not going to do that because you can do that yourself. My REsearch tool is flexible enough that you can add your own regular expressions to the library without having to change the code, and that's what I'm going to show you here. So, here I have a couple of samples. If I do a dump of all the files in this sample, and I search for URLs with my REsearch tool, then I get a bunch of URLs, and if I filter out office URLs, so I don't want to see the standard office URLs, then here you have that URL that refers to this exploit. So, as you can see here, you have XUSC, and what I observed is that in all the examples that I saw, there was an exclamation mark. So, I'm going to make a regular expression that looks for a string that contains an exclamation mark. Now, how can you add reexes to REsearch? Well, it's very simple. If you look at the help of REsearch, you have here all kinds of regular expressions that are inside the library. To add one, you just have to create a file called REsearch.txt. You can create that in your working folder, and then it will be used when you are working in that folder, or you can create it inside the same folder as where the REsearch.py.tool is located, and then it will always use that library. So, I'm going to create such a file here, and what you simply have to do is name equals rex per line. So, that's how you can add regular expressions. That's the only thing to do. I'm going to call this one strbang, and so, I am looking for a string with double quotes with an exclamation mark, and then before I need characters that are not a double quote, and I need at least one of these characters, and then, so that's before the exclamation mark, and the same after the exclamation mark. And that's it. So, now I have that file here, REsearch, as you can see, and if I do REsearch help, if we go into the library, you can see here in help, sorry, in the list of URLs, now you can see that string bang here was added. So, we can just use this now. So, what I'm going to do again, dump this string, and then run our research, name strbang, and here you have immediately the URL that points to the malicious code. Same with the other sample, and now it finds this one. And remember that this one was not found when you search for URLs, because there was no protocol here, including now HTTP or HTTPS. So, if you search for URL and exclude office URLs, we have no result. But now, with that string bang regular expression that we added to the library, we have a result. And finally, I also had a diary entry about an XML obfuscated office document. Let me show you that one. So, the relationships are here in file 10. I select file 10 and dump it. And then you see here for targets, all these entities. Also here relationships, also entities. So, these are decimal numbers that represent a character typical for XML and entities, and actually also HTML. A couple of ways to solve this, like I explained this diary entry. I can just convert these numbers to string with my tool. And then here you see the URL. Or you can pass this on to my XML dump tool. Pretty print. And then it will do the conversion for you. So, you see it here. And of course, you will now be able to run our research on string bang, sorry, our research, like this. And here we have the URL. Now, if we don't do that conversion with our research, sorry, with XML dump, pretify, then we don't have it.