← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Ongoing analysis of unknown exploit targeting Office 2007-2013
WHITE AlienVault 2015-08-17 Modified: 2017-08-24
5
IOCs
LOW VOLUME
A few days before the publishing of this blog post I came across an unknown RTF exploit sample which I could not identify as being an exploit targeting a known vulnerability like CVE-2012-0158 or CVE-2014-1761. It turns out that this exploit sample has a far greater impact than most other ‘traditional’ memory corruption exploits targeting MS Office. Successful exploitation seems to be possible on all currently supported versions of MS Office up and including the MS15-022 patch.
officewordMS15-022exploitvisual basic
Indicators of Compromise (5)
All hostname FileHash-MD5 CVE
TYPEINDICATORDESCRIPTIONCREATED
hostname login.loginto.me 2017-08-24
FileHash-MD5 ae6b65ca7cbd4ca0ba86c6278c834547 2017-08-24
FileHash-MD5 23cc315702179b8552b702892e433801 2017-08-24
FileHash-MD5 6bde5462f45a230edc7e7641dd711505 2017-08-24
CVE CVE-2015-1641 2017-08-24
References (3)
↗ http://blog.ropchain.com/2015/08/16/analysis-of-exploit-targeting-office-2007-2013-ms15-022/ ↗ https://cryptam.com/docsearch.php?md5=ae6b65ca7cbd4ca0ba86c6278c834547 ↗ http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unknown-vulnerability-part-1