Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444
Files (including malicious word and cab-file) may be downloaded on any.run: https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/#
Note! The domain name in the original malicious code is replaced with 127.0.0.1:8000 to avoid any mistakes executing malicious code. So, if you want to serve your own championship.inf-file (which is actually a PE-file), just use:
python3 -m http.server
The step 3 file In this step, the code is human readably enough to see how the cve-2021-40444 bug is used by the malicious word document.
championship.inf This is the PE-file that is loaded on a successful attack.
Stages
- Word file loads the web-address (internet address) as an OLE-object (side.html in this case)
- Side.html uses ActiveX loading to download a .cab file from internet
- Side.html javascript references the championship.inf contained in the .cab file as a loadable activex-object
- Thereafter... code execution by the activex