Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

CyberChef: Analyzing OOXML Files for URLs

Published: 2021-01-23
Last Updated: 2021-01-23 09:39:26 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Doc & RTF Malicious Document" I start analyzing a malicious Word document with my tools.

That Word document, an Office Open XML file (OOXML, .docx), is a ZIP container with XML files. I show how to extract URLs from this document.

CyberChef can also process ZIP files: I made a CyberChef recipe to extract URLs from OOXML files.

This is how it looks:

You can use it for any .docx, .docm, .xlsx, ... file (OOXML file) to see if it contains URLs.

And if you want to understand how I use CyberChef to create this recipe, take a look at this video:

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Another File Extension to Block in your MTA: .jnlp
Jan 22nd 2021
1 day ago by Xme (0 comments)

Powershell Dropping a REvil Ransomware
Jan 21st 2021
2 days ago by Xme (0 comments)

Qakbot activity resumes after holiday break
Jan 20th 2021
3 days ago by Brad (0 comments)

Gordon for fast cyber reputation checks
Jan 19th 2021
4 days ago by Russ McRee (0 comments)

Doc & RTF Malicious Document
Jan 18th 2021
5 days ago by DidierStevens (0 comments)

New Release of Sysmon Adding Detection for Process Tampering
Jan 17th 2021
5 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

PFSense
created Dec 23rd 2020
1 month ago by bas.auer@auerplace.nl (3 replies)

Port 23 & 2323 107.173.58.179
created Nov 15th 2020
2 months ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
3 months ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
4 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
4 months ago by Martin (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
2 months ago by Xme (0 comments)

Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?
Dec 5th 2020
1 month ago by Guy (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
2 months ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
3 months ago by Brad (0 comments)