decalage2/detect_CVE-2021-40444.py

## detect_CVE-2021-40444.py
# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
# v0.01 Philippe Lagadec 2021-09-09

# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
# Moreover, for now only Office 2007+ files are supported.
# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.

import sys, zipfile
from oletools import oleobj, ooxml

filename = sys.argv[1]
if zipfile.is_zipfile(filename):
    xml_parser = ooxml.XmlParser(filename)
    for relationship, target in oleobj.find_external_relationships(xml_parser):
        print("Found relationship '%s' with external link %s" % (relationship, target))
        if target.startswith('mhtml:'):
            print("Potential exploit for CVE-2021-40444")
else:
    print("This is not an Office 2007+ file.")
	# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
	# v0.01 Philippe Lagadec 2021-09-09

	# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
	# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
	# Moreover, for now only Office 2007+ files are supported.
	# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.

	import sys, zipfile
	from oletools import oleobj, ooxml

	filename = sys.argv[1]
	if zipfile.is_zipfile(filename):
	xml_parser = ooxml.XmlParser(filename)
	for relationship, target in oleobj.find_external_relationships(xml_parser):
	print("Found relationship '%s' with external link %s" % (relationship, target))
	if target.startswith('mhtml:'):
	print("Potential exploit for CVE-2021-40444")
	else:
	print("This is not an Office 2007+ file.")