Undetected CVE-2017-11882

[KDibble]

At VirusTotal:

https://www.virustotal.com/gui/file/33460b47d955bb765d583e410e994b8ce5e22be93176ab0297df04a54cc75b47/detection

This was sent via email to us earlier today. 23/57 engines detect malware. Avast is not among them.

[Edited to correct typo, and to add:]

The file is an Excel spreadsheet.

[Pondus]

Report a malicious sample (select file or website)
https://www.avast.com/report-malicious-file.php

[KDibble]

Reported.

Thanks, Pondus.

[Pondus]

Reported.

Thanks, Pondus.

Your welcome   


Info on how to report to avast lab is found in one of the two sticky posts at top in this section

[polonus]

Read how this COBALT payload exploiting went unnoticed for 17 years:
https://blog.reversinglabs.com/blog/reversinglabs-yara-rule-detects-cobalt-payload-exploiting-cve-2017-11882
and likewise: https://www.mimecast.com/blog/2019/03/the-return-of-the-equation-editor-exploit--difat-overflow/
combining the first  Equation Editor Exploit with an attack amplifier and a way to render it to go undetected.

Cybercriminals here were a special group from Serbia, that were using specially-crafted Microsoft Word documents
to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format,
abusing OLE formats in this way.

The MS Office dropper can be detected using the YARA rule “potential_CVE_2017_11882_v2.yara”.
Download here: https://www.reversinglabs.com/sites/files/downloads/potential_CVE_2017_11882_v2.yara

What more undocumented surprises to be abused Microsoft has in store for us.

This is why for military & critical infrastructure for the Russian Federation,
they recently started to steer away from propriety Microsoft to embrace their own form of hardenend linux OS,
named Astra Linux.

polonus

[KDibble]

This is now detected by 8.0.1609. pattern file version 190624-0.

Thanks everyone!