Skip to content

Forensic Incident Report

CVE-2022-30190 (Follina) Exploitation Analysis

Link : https://blueteamlabs.online/home/challenge/follina-f1a3452f34

1. Executive Summary

Incident Type: Remote Code Execution (RCE)

Vulnerability: CVE-2022-30190 (Follina)

Attack Vector: Malicious Microsoft Word Document

Threat Classification: Malicious

Sandbox Verdict: 100/100 (ANY.RUN)

Overview

The analyzed sample exploits the Microsoft Support Diagnostic Tool (MSDT) vulnerability known as Follina (CVE-2022-30190). Unlike traditional macro-based attacks, this exploit abuses Microsoft Word's ability to reference external HTML content, ultimately executing arbitrary commands through built-in Windows components.

The attack requires no VBA macros and leverages trusted system binaries, making detection more challenging.

2. Sample Information

Property Value
File Name sample.doc
Real File Type Office Open XML Document
MIME Type application/vnd.openxmlformats-officedocument.wordprocessingml.document
Magic Bytes 50 4B 03 04 (PK ZIP Signature)
MD5 52945af1def85b171870b31fa4782e52
SHA1 06727ffda60359236a8029e0b3e8a0fd11c23313
SHA256 4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

3. Static Analysis

Although the sample appears as a traditional .doc document, inspection of its magic bytes reveals that it is actually an Office Open XML document packaged as a ZIP archive.

The internal structure contains relationship files that reference external resources instead of embedding the exploit directly.

The malicious URL is stored inside:

word/_rels/document.xml.rels

which contains the external HTML reference used to trigger the vulnerability.

4. Exploitation Flow

Attack Chain

explorer.exe
        โ”‚
        โ–ผ
WINWORD.EXE
        โ”‚
        โ–ผ
document.xml.rels
        โ”‚
        โ–ผ
External HTML
        โ”‚
        โ–ผ
mshtml.dll Processing
        โ”‚
        โ–ผ
msdt.exe
        โ”‚
        โ–ผ
PowerShell Payload Execution

5. Exploitation Mechanism

Step 1 โ€“ User Opens Document

The victim opens the malicious Word document.

Step 2 โ€“ XML Relationship Processing

Microsoft Word automatically parses:

word/_rels/document.xml.rels

which contains an external relationship pointing to:

https://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html

Step 3 โ€“ Remote HTML Retrieval

The HTML file is downloaded and processed by the Windows HTML engine.

Step 4 โ€“ 4096 Byte Requirement

During analysis, it was identified that HTML files smaller than 4096 bytes will not trigger the vulnerable processing path.

Therefore, attackers artificially increase the file size using padding characters or meaningless data to satisfy this condition.

Step 5 โ€“ MSDT Abuse

Instead of executing macros, the HTML invokes:

msdt.exe

Microsoft Support Diagnostic Tool then processes attacker-controlled parameters.

Step 6 โ€“ PowerShell Execution

MSDT launches PowerShell, which executes the malicious payload in the context of the current user.

Step 7 โ€“ Defense Evasion

After execution, the malware attempts to terminate:

msdt.exe

to hide diagnostic windows and reduce user suspicion.

6. Process Execution Flow

explorer.exe
        โ”‚
        โ–ผ
WINWORD.EXE
        โ”‚
        โ–ผ
msdt.exe
        โ”‚
        โ–ผ
PowerShell
        โ”‚
        โ–ผ
Payload Execution

7. Indicators of Compromise (IoCs)

File Hashes

MD5

52945af1def85b171870b31fa4782e52

SHA1

06727ffda60359236a8029e0b3e8a0fd11c23313

SHA256

4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784

Domains

www.xmlformats.com
survey-smiles.com

URL

https://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html

Temporary Files

C:\Users\admin\AppData\Local\Temp\~$mple.doc.docx

C:\Users\admin\AppData\Local\Temp\cabF7BD.tmp

C:\Users\admin\AppData\Local\Temp\cabF72F.tmp

C:\Users\admin\AppData\Local\Temp\cabF72E.tmp

8. Detection Opportunities

Windows Event ID 4688

Recommended detection rule:

Field Value
ProcessName msdt.exe
ParentProcessName WINWORD.EXE

Suspicious parent-child relationship:

WINWORD.EXE
        โ”‚
        โ–ผ
msdt.exe

9. MITRE ATT&CK Mapping

Tactic Technique Description
Execution T1203 Exploitation for Client Execution
Execution T1059 Command and Scripting Interpreter (PowerShell)
Defense Evasion T1218.011 System Binary Proxy Execution: MSDT
Defense Evasion T1489 Service Stop / Task Kill

10. Conclusion

The analyzed document exploits CVE-2022-30190 (Follina) to achieve remote code execution by abusing the Microsoft Support Diagnostic Tool (MSDT).

Rather than relying on macros, the attack leverages external HTML content referenced inside the Office XML relationships file. The exploit ultimately executes PowerShell commands and attempts to terminate msdt.exe to reduce visibility.

This case demonstrates how legitimate Windows components can be abused to execute malicious code while bypassing traditional macro-based defenses, highlighting the importance of behavioral monitoring, parent-child process detection, and prompt patch management.