Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean
The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs under OpenXML Doc Info; section Package Relationships:
To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.
Then, extract the zip file. The URLs can be found inside file document.xml.rels (~/sample_folder/word/_rels/):
Its may look simple if you know which & where the file to be look at.
I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.
To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:
Download the Python scripts mentioned above and put it into one place. Then, executed this command below:
./zipdump.py -D sample.zip | ./re-search.py -f -n url -u
Command above will search the content of the zip file & extract/applied regex searching for URLs.
As you can see below, these is all the URLs that contained in the Word doc: