MSOffice/CVE_2017_11882.C!exploit

Analysis

MSOffice/CVE_2017_11882.C!exploit is a generic detection for an exploit.
An exploit is a malicious program that takes advantage of a software vulnerability that may enable a remote attacker to gain access to the targeted system. Since this is a generic detection, malware that are detected as MSOffice/CVE_2017_11882.C!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the CVE-2017-118822 vulnerability. The vulnerability allows for remote code execution in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 due to the improper handling of objects in memory.


• The malware will exploit a stack buffer overflow vulnerability to run it's malicious shellcode, this in turn will allow the malware to attempt to download the next malicous payload.


• This malware has been associated with the following third party advisory.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11882
https://nvd.nist.gov/vuln/detail/CVE-2017-11882



• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 3f464820b643fa78164634e33cdc29e2
    Sha256: d1ea94c241e00e8e59a7212f30a9117393f9e883d2b509e566505bc337c473e3
  • Md5: 46710747bcdb50fde3cfbf2f1d76a249
    Sha256: 8f8b24276df3565bb810b741ba5ae1c056459e27352fc0611f5004c765aa1183
  • Md5: f247ab638b48ea446e41087c15789abd
    Sha256: d4141f7edade86f3e0296a44142845a6a987454372f5c39a032bd9f74a77120b
  • Md5: 1c26b0c7cd6243ce0c4990b6ec53681d
    Sha256: 4ee9b8b29743e28570161fb88d5d21202af08a1b8e71d7d5768b16eca03f3e50
  • Md5: 4650921fcbec45d7c151e59f31e20bb9
    Sha256: 9bf606915e70cf3e721eefc5d574d0c78d20ba14d97bee535965dc40487aa59a

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.