DS Labs by DS Labs | | News & Events

Researchers at Deep Secure Labs analysed a new vulnerability discovered by Mandiant (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) and concluded it could be used by an attacker to automatically execute ActiveX code on a target workstation when an Office document is opened.

Delivery Mechanism

The exploit, discovered in the wild within the last 48 hours is delivered using an Office document (Word, Excel or PowerPoint).

When the user opens the document and enables editing, the Office document makes a call to an MSHTML file hosted on a compromised Web server:

This code pulls down an HTML file containing ActiveX which is read by the Microsoft browser rendering engine. In the sample seen in the wild, the ActiveX downloads a CAB file and runs the Cobalt Strike remote access tool.

In the following clip, Deep Secure researchers reverse engineered the attack, using the Calculator executable to demonstrate how the exploit works.




High Impact Exploit

An unusual feature of the exploit is that it is entirely self-contained. “This is a potentially high impact exploit,” commented Deep Secure researcher Aaron Mulgrew. “Because it takes advantage of a vulnerability in the browser rendering engine embedded in Office, it is not dependent on the presence of any particular browser.”

The exploit is currently unpatched and can be used to compromise any workstation running Windows 10 and Windows 11.


Customers of Deep Secure Threat Removal are automatically protected from this exploit. Because it doesn’t rely on detection to try and combat the threat, Deep Secure’s unique zero trust CDR capability always ensures Office documents are malware-free.

The following clip shows how Threat Removal ensures that the Office document is threat free:



For more information on Threat Removal, email contact-us@deep-secure.com or try Threat Removal free online now.

View all posts