CVE-2021–40444 CyberChef Recipe

https://gchq.github.io/CyberChef/#recipe=Unzip('',false)Regular_expression('User%20defined','Target%3D%22mhtml:%5B%5E!%5D%2B!x-usc:%5B%5E!%20%22%5D%2B',true,true,false,false,false,false,'List%20matches')Find_/_Replace(%7B'option':'Regex','string':'Target%3D%22mhtml:'%7D,'',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'!x-usc:'%7D,'%5C%5Cn',true,false,true,false)Unique('Line%20feed')Defang_URL(true,true,true,'Valid%20domains%20and%20full%20URLs')
Unzip('',false)
Regular_expression('User defined','Target="mhtml:[^!]+!x-usc:[^! "]+',true,true,false,false,false,false,'List matches')
Find_/_Replace({'option':'Regex','string':'Target="mhtml:'},'',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'!x-usc:'},'\\n',true,false,true,false)
Unique('Line feed')
Defang_URL(true,true,true,'Valid domains and full URLs')
Unzip('',false)
Extract_URLs(false)
Regular_expression('User defined','(https?:\\/\\/(?!.*\\.?(microsoft|openxmlformats|purl|w3)).*)',true,true,false,false,false,false,'List matches')
Defang_URL(true,true,true,'Valid domains and full URLs')

Test on known CVE-2021–40444 maldoc

Result of recipe showing the domain that was included in the \word\_rels\document.xml

Update — 2021–09–20 19:23 EST

Unzip('',false)
Regular_expression('User defined','Target="mhtml:[^!]+!x-usc:[^! "]+',true,true,false,false,false,false,'List matches')
Find_/_Replace({'option':'Regex','string':'Target="mhtml:'},'',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'!x-usc:'},'\\n',true,false,true,false)
Unique('Line feed')
Defang_URL(true,true,true,'Valid domains and full URLs')

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Hello Vegas Slots – Mega Wins Hack Free Resources Generator

InfoSecSherpa’s News Roundup for Thursday, May 12, 2022

CT scan, medical device. Image by Mufid Majnun from Pixabay.

How Dangerous Is Your Foreign VPN?

This Month, in Review

Orchid/OXT — The VPNaaS for Cyber Researcher’s

The Crash Override Chronicles: Overall

{UPDATE} Sports Quiz Hack Free Resources Generator

{UPDATE} Yatzy Dice Game for Buddies Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohammad Amr Khan

Mohammad Amr Khan

More from Medium

Byters Group_Update

Dune : The Start Of A Cinematic Universe For Denis Villeneuve & Warner Bros

The Prado’s Best History Painting: Queen Joanna the [S]ad by Francisco Padilla

The Fertilizing Flash