VirusMSOffice/CVE_2017_11882.B!exploit
Analysis
MSOffice/CVE_2017_11882.B!exploit detects Microsoft Office documents that may be exploiting a memory corruption vulnerability in the EQNEDT32.EXE executable that can be invoked via an older suite of Microsoft Office of products.
For more details, please visist: CVE 2017-11882 exploit
- Most commonly encountered is a Rich-Text Format (RTF) file with the extension .rtf. An example of a file may look like:
- When the file is run in MS Word or Wordpad, a call to a domain may be triggered. The following domain have been observed:
- grerno{Removed}.com
- my-christmastr{Removed}.com
- plantatulap{Removed}.cl
- myined{Removed}.kozow.com
- tainguyensaefo{Removed}.com
- obilo{Removed}.info
- nm{Removed}.net.au
- kzkoicaalum{Removed}.com
- axxxa{Removed}.com
- connauqhtmot{Removed}.com
- menorasarai{Removed}.info
- bijou-cinem{Removed}.com
- verificati{Removed}.zabros.com.au
- justlo{Removed}.com
- destinylo{Removed}.tk
- apelev{Removed}.ro
- obilo{Removed}.info
- alexboolooobin{Removed}.info
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
- Download and install the patch for the CVE-2017-11882 Vulnerability at Microsoft Office Memory Corruption Vulnerability.
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| FortiADC | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2023-04-03 | 91.02022 |
Modified
|
|
| 2023-01-17 | 90.09734 |
Modified
|
|
| 2022-07-19 | 90.04286 |
Modified
|
|
| 2022-06-14 | 90.03243 |
Modified
|
|
| 2022-05-25 | 90.02622 |
Modified
|
|
| 2022-05-24 | 90.02594 |
Modified
|
|
| 2022-05-03 | 90.01962 |
Modified
|
|
| 2022-03-29 | 90.00912 |
Modified
|
|
| 2021-12-28 | 89.08183 |
Modified
|
|
| 2021-10-12 | 89.05871 |
Modified
|