MSOffice/Follina.536C!exploit is a generic detection for an exploit.
An exploit is a malicious program that takes advantage of a software vulnerability that may enable a remote attacker to gain access to the targeted system. Since this is a generic detection, malware that are detected as MSOffice/Follina.536C!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is related to the Follina vulnerability outbreak. It has the identifier CVE-2022-30190. The exploit involves a compromised MSOffice file that contains a malicious URL which leads to a download. The compromised file may be sent as a suspicious email.

  • The exploit allows attackers to execute arbitrary code with the privileges of the calling application by exploiting the vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT).

  • This malware has been associated with the following third party article/advisory.

  • Below is an image of the malware:

    • Figure 1: MSOffice document containing malicious URL.

  • Below are some sites to which some of the observed samples tried to connect to:
    • https://xmlform[removed]rawing/RDF8421.html!

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 52945af1def85b171870b31fa4782e52
      Sha256: 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

Web Application Firewall

Version Updates

Date Version Detail
2024-02-12 92.01512
2024-02-07 92.01352
2023-11-22 91.09040
2023-10-11 91.07774
2023-09-19 91.07104
2023-08-08 91.05854
2023-08-08 91.05853
2023-08-08 91.05844
2023-08-01 91.05642
2023-07-20 91.05262