VERY IMPORTANT

On April 7th 2017 Haifei Li published on the McAfee blog1 about a “Critical Office Zero-Day” in the wild. Few details were given and no hashes were available, which made it interesting to find samples and conduct an initial analysis. A further blog by FireEye titled “Acknowledgement of Attacks Leveraging Microsoft Zero-Day” provided additional useful information. During testing we were able to generate a number of proof-of-concept (PoC) documents both with and without a prompt to the user. It is likely the vulnerability will be documented in full detail over the coming days. Therefore we instead discuss a number of ways to detect and analyse these documents using freely available tools. This information may be useful to any incident responder or blue team looking to defend an organisation.