MSOffice/Follina.536C!exploit

Analysis

MSOffice/Follina.536C!exploit is a generic detection for an exploit.
An exploit is a malicious program that takes advantage of a software vulnerability that may enable a remote attacker to gain access to the targeted system. Since this is a generic detection, malware that are detected as MSOffice/Follina.536C!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the Follina vulnerability outbreak. It has the identifier CVE-2022-30190. The exploit involves a compromised MSOffice file that contains a malicious URL which leads to a download. The compromised file may be sent as a suspicious email.


• The exploit allows attackers to execute arbitrary code with the privileges of the calling application by exploiting the vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT).


• This malware has been associated with the following third party article/advisory.

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability



• Below is an image of the malware:
  

  Figure 1: MSOffice document containing malicious URL.

  
  
• Below are some sites to which some of the observed samples tried to connect to:
  
  • https://xmlform[removed]rawing/RDF8421.html!


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 52945af1def85b171870b31fa4782e52
    Sha256: 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.