Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Quickie: Follina, RTF & Explorer Preview Pane - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quickie: Follina, RTF & Explorer Preview Pane

It is known that a "Follina exploit" RTF maldoc can lead to code execution by being viewed in Explorer's preview pane:

Word will then launch msdt.exe which will ultimately lead to calc being executed in this example:

When Word is not running, an instance is launched by the DCOM Server Process Launcher service, so that it can do the rendering of the document to be displayed in Explorer's preview pane:

During this rendering, msdt.exe is launched.


Didier Stevens
Senior handler
Microsoft MVP


652 Posts
ISC Handler
Jun 12th 2022

Sign Up for Free or Log In to start participating in the conversation!