MSOffice/CVE_2017_11882.A!exploit

Analysis

MSOffice/CVE_2017_11882.A!exploit detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products. For more details, please visist: CVE 2017-11882 exploit

• Most commonly encountered is a Rich-Text Format (RTF) file with the extension .rtf. The file may appear to be empty or show text like the following images:
  

  Figure 1: Text in malicious RTF Document.

  
  

  Figure 2: Text in malicious RTF Document.

  
  

  Figure 3: Text in malicious RTF Document.

  
  


• When the file is opened, the following popup error message may show:
  

  Figure 4: Error Message.



• When the file is opened, the following securtiy alert message may show:
  

  Figure 5: Security Alert Message.



• When the file is run in MS Word or Wordpad, a call to a domain may be triggered in the background. The following domain(s) have been observed:
  • http://atgro{Removed}.lk
  • https://windo{Removed}.erlivia.ltd
  • http://jopitt{Removed}.zapto.org
  • http://fiebig{Removed}.us
  • http://www.uwao{Removed}.info
  • http://www.al-enay{Removed}.com


• The file may attempt to download any of the following:
  • atgro{Removed}.lk/wp-login/zgnU.hta - Removed from website
  • windo{Removed}.erlivia.ltd/plugin/windows-plugin.hta - Removed from website
  • jopitt{Removed}.zapto.org/jose/jose.html - Removed from website

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.