Share
## https://sploitus.com/exploit?id=EC128B0B-197F-5782-BFC4-96B2E278C162
# Malware-Analysis-Follina-CVE-2022-30190

# Static Malware Analysis โ€“ Follina Exploitation (CVE-2022-30190)  
Malicious Microsoft Word Document Investigation
![attack workflow](st.png)

During a practical malware analysis session on Kali Linux, I encountered a suspicious file named `sample.doc`. I decided to perform a structured static analysis to understand its nature and behavior without executing it.

This document describes the exact steps I took, the observations I made, and the conclusions I reached.

All work was performed in an isolated Oracle VirtualBox VM running Kali Linux.

## Step 1 โ€“ Initial File Observation

I first located the file in the Downloads/sample folder using the file manager.

- File name: sample.doc  
- Apparent size: 10.0 KiB (10,253 bytes)  
- Icon appeared as a standard Word document

![Sample file visible in file explorer](file-explorer-sample.png)

At this point I already suspected it might be malicious due to the context in which I obtained it, so I moved directly to threat intelligence validation.

## Step 2 โ€“ VirusTotal Submission & Basic Properties

I uploaded the file to VirusTotal and immediately checked the overview:

- SHA-256: 4aa240481afbe9fb62e7a6a4a9adbd1faf41f266b5f9feecdeb567aec096784  
- SHA-1: 06727ffda60359236a8029e0b3e8a0fd11c23313  
- Detection: 46 / 65 vendors flagged malicious  
- File type reported: **Office Open XML Document** (Microsoft Word 2007+ format)  
- Community score: very negative (-538)  
- Tags present: docx, cve-2022-30190, cve-2017-0199, exploit, calls-wmi

This strongly suggested an exploit-based document rather than a conventional macro malware.

![VirusTotal โ€“ hash, file type and basic properties](virus-total-hash-type.png)

![VirusTotal โ€“ detection ratio and popular labels](virus-total-detections.png)

## Step 3 โ€“ Reviewing MITRE ATT&CK Techniques

In the **Behavior** tab I examined the MITRE ATT&CK mapping that VirusTotal community / sandboxes associated with this sample.

Most relevant under the **Execution** tactic:

- **T1559 โ€“ Inter-Process Communication** (clearly visible and expanded in the screenshot)  
- Several instances of **T1203 โ€“ Exploitation for Client Execution**  
- Also T1059 โ€“ Command and Scripting Interpreter (likely PowerShell usage)

This immediately pointed toward a technique abusing inter-process mechanisms โ€“ very characteristic of the Follina / MSDT abuse chain.

![VirusTotal MITRE ATT&CK matrix โ€“ T1559 highlighted](virus-total-mitre-techniques.png)

## Step 4 โ€“ Analyzing Contacted URLs & External Relationships

The **Relations โ†’ Contacted URLs** section revealed the most important indicator:

Multiple fetches to domains under **xmlformats.com** (spoofing legitimate Microsoft XML schema domains), especially paths containing:

- /office/word/2022/wordprocessingDrawing/RDF842l.html  
- /office/word/2022/wordprocessingDrawing/RDF842l.html (with different capitalization/variations)

These URLs are fetched automatically when Microsoft Word processes the external relationship inside the document.

This is the classic Follina delivery mechanism: an external HTML reference in `document.xml.rels` that triggers the ms-msdt: protocol handler.

![VirusTotal โ€“ contacted URLs showing suspicious xmlformats.com domains](virus-total-relations-urls.png)

## Step 5 โ€“ Extracting the Document Structure

Knowing that modern Office files are ZIP archives, I extracted the contents using unzip:

```bash
unzip sample.doc

Questions or feedback? โ†’ Open an issue or connect on LinkedIn: www.linkedin.com/in/nimesh23

๐Ÿ›ก๏ธ