Skip to content

Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444

Notifications You must be signed in to change notification settings

jamesrep/cve-2021-40444

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 

Repository files navigation

cve-2021-40444

Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444

Files (including malicious word and cab-file) may be downloaded on any.run: https://app.any.run/tasks/36c14029-9df8-439c-bba0-45f2643b0c70/#

Note! The domain name in the original malicious code is replaced with 127.0.0.1:8000 to avoid any mistakes executing malicious code. So, if you want to serve your own championship.inf-file (which is actually a PE-file), just use:

python3 -m http.server

The step 3 file In this step, the code is human readably enough to see how the cve-2021-40444 bug is used by the malicious word document.

championship.inf This is the PE-file that is loaded on a successful attack.

Stages

  1. Word file loads the web-address (internet address) as an OLE-object (side.html in this case)
  2. Side.html uses ActiveX loading to download a .cab file from internet
  3. Side.html javascript references the championship.inf contained in the .cab file as a loadable activex-object
  4. Thereafter... code execution by the activex

About

Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages