MSOffice/CVE_2017_11882.A!exploit detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products. For more details, please visist: CVE 2017-11882 exploit

  • Most commonly encountered is a Rich-Text Format (RTF) file with the extension .rtf. The file may appear to be empty or show text like the following images:

    • Figure 1: Text in malicious RTF Document.

    • Figure 2: Text in malicious RTF Document.

    • Figure 3: Text in malicious RTF Document.

  • When the file is opened, the following popup error message may show:

    • Figure 4: Error Message.

  • When the file is opened, the following securtiy alert message may show:

    • Figure 5: Security Alert Message.

  • When the file is run in MS Word or Wordpad, a call to a domain may be triggered in the background. The following domain(s) have been observed:
    • http://atgro{Removed}.lk
    • https://windo{Removed}
    • http://jopitt{Removed}
    • http://fiebig{Removed}.us
    • http://www.uwao{Removed}.info

  • The file may attempt to download any of the following:
    • atgro{Removed}.lk/wp-login/zgnU.hta - Removed from website
    • windo{Removed} - Removed from website
    • jopitt{Removed} - Removed from website

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

Web Application Firewall

Version Updates

Date Version Detail
2023-11-20 91.08981
2023-07-11 91.05011
2023-07-05 91.04826
2023-07-04 91.04805
2023-01-24 90.09944
2022-06-21 90.03462
2022-06-07 90.03046
2022-05-25 90.02622
2022-03-22 90.00702
2022-03-15 90.00492