Interesting. I published research on this style of attack in 2019 when I found Slack and a few other big websites vulnerable to it. In their cases, LibreOffice was passing the files off to specific parsers based on magic headers rather than file extensions.

https://buer.haus/2019/10/18/a-tale-of-exploitation-in-sprea...

We published a PoC for file write as part of our research and bug bounty submissions:

https://gist.github.com/ziot/fb96e97baae59e3539ac3cdacbd0943...