Threat Encyclopedia

MSOffice/Follina.536C!exploit

description-logoAnalysis

MSOffice/Follina.536C!exploit is a generic detection for an exploit.
An exploit is a malicious program that takes advantage of a software vulnerability that may enable a remote attacker to gain access to the targeted system. Since this is a generic detection, malware that are detected as MSOffice/Follina.536C!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is related to the Follina vulnerability outbreak. It has the identifier CVE-2022-30190. The exploit involves a compromised MSOffice file that contains a malicious URL which leads to a download. The compromised file may be sent as a suspicious email.

  • The exploit allows attackers to execute arbitrary code with the privileges of the calling application by exploiting the vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT).

  • This malware has been associated with the following third party article/advisory.
  • https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
    

  • Below is an image of the malware:

    • Figure 1: MSOffice document containing malicious URL.

  • Below are some sites to which some of the observed samples tried to connect to:
    • https://xmlform[removed]rawing/RDF8421.html!

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 52945af1def85b171870b31fa4782e52
      Sha256: 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry