 Hello, DDS Stevens here, Senior Handler at the InternetStorm Center. My last diary entry was about malicious documents, the DocX Word document with an exploit for the recent MSHTML. So let's see how we can do this analysis, rather simply. So it's a DocX file, so that is an OOXML file or a zip container containing mostly zip files. I'm going to use my zip dump tool to look inside that file, and here we have all the files in here. And what we are going to do here is something I've done already before in diary entries is just dump all that XML data and extract all the URLs and see what we end up with. So there's an option in zip dump to dump all the content of all the files to standard out and that's capital D, option D, to dump all the files. And then I'm going to pass this into my RE search tool and search for URLs using a built-in regular expression for URLs like this. And here you have all the URLs that are found inside those XML files. A lot of them are legitimate, they are there in OOXML files. You can filter them out with RE search, option F, uppercase F, and say Office URLs. This means we are going to filter out all the URLs, all the domains that correspond to Office documents. And then you end up here with the malicious URL. Now this is quite simple, works for different kinds of vulnerabilities explored, and also just misusing features, looking for URLs inside this document. Now this doesn't always work like this. Of course it's a bit harder to find, and I have an example of that in another file. So it's also a Word document, .x file, with an export for CVE 2021, 40444, so I dump everything and I bind this into RE search, searching for URLs, filtering out what is normal for Office, and we get no output. The Office URLs are there, but we find no other. Why is that? Well, let's go back to the first sample. And in this sample, I'm going to search for that IP address here, so let me copy this. Then I'm going to use an ad hoc Yara rule with my tool, searching for this string in this document, okay, and we can find this in this file documents.xml.rls relations. So let's look inside that file, file number 9, select 9, do a dump, it's XML, so we can just do a dump. And here you have that file. Now let me do a pretty print with my XML dump tool, so that the XML is more readable. Let's see if I can enlarge this a bit, yeah, okay. So here you have different relationship entries, and here you have a relationship entry with this vulnerability, exploiting this vulnerability. Here you can see the target is mhdml, and then you have the URL here with then the bang and the command. Notice also that this is an external relationship. All the others don't have target mode external, they are internal, this one is external. So we should also be able to find this by searching for mhdml for example, okay, then we end up again here with our relationship file. So let's try that for the other sample, and indeed we have mhdml in that relationship file, which is file 13. So let's take a look, and I'll do directly a pretty print. And here again you can see a target mode external relationship or the object mhdml here. And here you have the URL, let's see. But as you can see here, this URL is not prefixed with a protocol, it doesn't say HTTP here. That is why the URL was not found with my REsearch tool, because it looks for a protocol, then colon dash dash, and then the host name or domain name. So that's why it was not found. One way to do this is searching for mhdml, or maybe also this XUSC. Now I want to point you to a blog post by Inquest about this vulnerability, where they did quite some research. And here for example, they describe a URL, and their research and other researches research has also shown that keywords here like mhdml or this XUSC, it's not actually mandatory. There are ways to omit this, and then that makes the detection more difficult. Now there is always one way to manually check that. And that is just to look at the relations, and see if you have an external relationship. And if you have that, then take a closer look at what that external relationship is.