MSOffice/CVE_2018_0798.BOR!exploit

Analysis

MSOffice/CVE_2018_0798.BOR!exploit is a generic detection for an exploit.
An exploit is a malicious program that takes advantage of a software vulnerability that may enable a remote attacker to gain access to the targeted system. Since this is a generic detection, malware that are detected as MSOffice/CVE_2018_0798.BOR!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware attempts to exploit a buffer overflow which would lead to an arbitrary code execution. It is related to the CVE-2018-0798 vulnerability. The malware targets the equation editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 which allows a remote code execution vulnerability.


• This malware has been associated with the following third party advisory.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0798
https://nvd.nist.gov/vuln/detail/CVE-2018-0798



• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 9c71c815218af6ff1731999259f4addf
    Sha256: 398d256650b2e158d1669d1153eb18677a6ad26995141a616d73d56b68c7ec07
  • Md5: 30abfaa1f4f0c6e5639a508f7dcbdeca
    Sha256: 81902bcf2618888999cbe28c0cc2a3822e32f400fbcc28991684fed14fbbe1c0
  • Md5: 295d2090edd09657a2f4d11054c7775d
    Sha256: 180d4590db1326a44047937837a9e67821cefd1ca0ccf4f3b26e023284aecd0c
  • Md5: 901559330a73a5c24ddcbdccb875b16f
    Sha256: b6575bf9ab9d4659d1fe979b1c8fe44647fa7e8fdd4fd3cd7de02c9884b3fb0e
  • Md5: aab9d2ad0f159359ec503bd004317daa
    Sha256: 7bb77c85fc2670ac6f5a8b223ca791a2f5ae8e758e9cbef746db074344cb4f6d
  • Md5: 03311d2c01c42f1d982a73eadb7816b0
    Sha256: 8482c25850b9d388eb7d2fde0ddb253dcf1834acfc6c56daa5cd81bba922a038

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.