Recently I’ve observed a phishing mail as below:
https://www.virustotal.com/#/file/cf027dd938f1a268f45f2ea786dc538ab47f35006fb12d0b64e0867bccf789c0/detection – clean
The file seems to be clean per VT. Interestingly, on details sections, found 2 URLs on OpenXML Doc Info.
To search for these URLs, first you’ll need to rename the Word doc file to compressed zip file. E.g. sample.doc to sample.zip.
Its may look simple if you know which & where the file to be look at.
I’m thinking; what if we can search for all the URL/hyperlink in the XML files content of the Word document, without actually having to open it one-by-one.
To do that, we’ll using zipdump, re-search (together with reextra) Python script tools by Didier Stevens:
Download the Python scripts mentioned above in one place. Then, executed this command below:
./zipdump.py -D sample.zip | ./re-search.py -f -n url -u