Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Simple script to detect CVE-2021-40444 URLs using oletools
# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
# v0.01 Philippe Lagadec 2021-09-09
# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
# Moreover, for now only Office 2007+ files are supported.
# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.
import sys, zipfile
from oletools import oleobj, ooxml
filename = sys.argv[1]
if zipfile.is_zipfile(filename):
xml_parser = ooxml.XmlParser(filename)
for relationship, target in oleobj.find_external_relationships(xml_parser):
print("Found relationship '%s' with external link %s" % (relationship, target))
if target.startswith('mhtml:'):
print("Potential exploit for CVE-2021-40444")
print("This is not an Office 2007+ file.")
Copy link

Lajigithub commented Sep 10, 2021


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment