## https://sploitus.com/exploit?id=EC128B0B-197F-5782-BFC4-96B2E278C162
# Malware-Analysis-Follina-CVE-2022-30190
# Static Malware Analysis โ Follina Exploitation (CVE-2022-30190)
Malicious Microsoft Word Document Investigation

During a practical malware analysis session on Kali Linux, I encountered a suspicious file named `sample.doc`. I decided to perform a structured static analysis to understand its nature and behavior without executing it.
This document describes the exact steps I took, the observations I made, and the conclusions I reached.
All work was performed in an isolated Oracle VirtualBox VM running Kali Linux.
## Step 1 โ Initial File Observation
I first located the file in the Downloads/sample folder using the file manager.
- File name: sample.doc
- Apparent size: 10.0 KiB (10,253 bytes)
- Icon appeared as a standard Word document

At this point I already suspected it might be malicious due to the context in which I obtained it, so I moved directly to threat intelligence validation.
## Step 2 โ VirusTotal Submission & Basic Properties
I uploaded the file to VirusTotal and immediately checked the overview:
- SHA-256: 4aa240481afbe9fb62e7a6a4a9adbd1faf41f266b5f9feecdeb567aec096784
- SHA-1: 06727ffda60359236a8029e0b3e8a0fd11c23313
- Detection: 46 / 65 vendors flagged malicious
- File type reported: **Office Open XML Document** (Microsoft Word 2007+ format)
- Community score: very negative (-538)
- Tags present: docx, cve-2022-30190, cve-2017-0199, exploit, calls-wmi
This strongly suggested an exploit-based document rather than a conventional macro malware.


## Step 3 โ Reviewing MITRE ATT&CK Techniques
In the **Behavior** tab I examined the MITRE ATT&CK mapping that VirusTotal community / sandboxes associated with this sample.
Most relevant under the **Execution** tactic:
- **T1559 โ Inter-Process Communication** (clearly visible and expanded in the screenshot)
- Several instances of **T1203 โ Exploitation for Client Execution**
- Also T1059 โ Command and Scripting Interpreter (likely PowerShell usage)
This immediately pointed toward a technique abusing inter-process mechanisms โ very characteristic of the Follina / MSDT abuse chain.

## Step 4 โ Analyzing Contacted URLs & External Relationships
The **Relations โ Contacted URLs** section revealed the most important indicator:
Multiple fetches to domains under **xmlformats.com** (spoofing legitimate Microsoft XML schema domains), especially paths containing:
- /office/word/2022/wordprocessingDrawing/RDF842l.html
- /office/word/2022/wordprocessingDrawing/RDF842l.html (with different capitalization/variations)
These URLs are fetched automatically when Microsoft Word processes the external relationship inside the document.
This is the classic Follina delivery mechanism: an external HTML reference in `document.xml.rels` that triggers the ms-msdt: protocol handler.

## Step 5 โ Extracting the Document Structure
Knowing that modern Office files are ZIP archives, I extracted the contents using unzip:
```bash
unzip sample.doc
Questions or feedback? โ Open an issue or connect on LinkedIn: www.linkedin.com/in/nimesh23
๐ก๏ธ