Threat Encyclopedia

MSOffice/CVE_2017_11882.A!exploit

Analysis



MSOffice/CVE_2017_11882.A!exploit detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products. For more details, please visist: CVE 2017-11882 exploit

  • Most commonly encountered is a Rich-Text Format (RTF) file with the extension .rtf. The file may appear to be empty or show text like the following images:

    • Figure 1: Text in malicious RTF Document.


    • Figure 2: Text in malicious RTF Document.


    • Figure 3: Text in malicious RTF Document.


  • When the file is opened, the following popup error message may show:

    • Figure 4: Error Message.

  • When the file is opened, the following securtiy alert message may show:

    • Figure 5: Security Alert Message.

  • When the file is run in MS Word or Wordpad, a call to a domain may be triggered in the background. The following domain(s) have been observed:
    • http://atgro{Removed}.lk
    • https://windo{Removed}.erlivia.ltd
    • http://jopitt{Removed}.zapto.org
    • http://fiebig{Removed}.us
    • http://www.uwao{Removed}.info
    • http://www.al-enay{Removed}.com

  • The file may attempt to download any of the following:
    • atgro{Removed}.lk/wp-login/zgnU.hta - Removed from website
    • windo{Removed}.erlivia.ltd/plugin/windows-plugin.hta - Removed from website
    • jopitt{Removed}.zapto.org/jose/jose.html - Removed from website


Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.