Analyzing Phishing Email – Word XML File Analysis

Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean

The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs on OpenXML Doc Info.

To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.

Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):

Its may look simple if you know which & where the file to be look at.

I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.

To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:

  • zipdump
  • re-search
  • reextra
  • Download the Python scripts mentioned above in one place. Then, executed this command below:

    Command above will search the content of the zip file & extract/applied regex searching for URLs.
    As you can see below, these is all the URLs that contained in the Word doc:

    Any Comments?

    This site uses Akismet to reduce spam. Learn how your comment data is processed.