Hello, Thank you for valuable inputs. We have herewith attached a screenshot of eset detection as cve2017-11882. This may further help.
We have also scannws using the latest clamav signature, porcupine, etc. but could not detect it. So, we tried to prepare it using the malicious file. Brief Analysis: Microsoft Equation Editor, which is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The vulnerability is caused by the Equation Editor which fails to properly handle OLE objects in memory. This can allow an attacker to cause remote code execution on the system using specially crafted files. The files attempt to exploit the CVE-2017-11882 vulnerability to trigger code execution which downloads additional malware to take control of the system. IOC: HASH: SHA-256 99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f HTTP Requests http://18.184.225.160/win/marxlo.exe ....... With Regards Jigar Raval On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote: > > Hi there, > > On Sat, 27 Mar 2021, Jigar via clamav-users wrote: > > > In the first week of March 2021, multiple users had received email > > with xlsx attachment having exploit for CVE-2017-11882. The clamav > > could not detect it but other antivirus like eScan and ESET could > > detect it as malware threat. > > Signatures exist for at least some exploits of CVE-2017-11882. Looking > at the signatures in my current ClamAV database: > > $ grep -as CVE-2017-11882 * | cut -d';' -f1 > MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M2 > MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M3 > MiscreantPunch099-Low.ldb:MisreantPunch.EvilDoc.CVE-2017-11882.M9 > MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.CVE-2017-11882.M10 > MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.RTF-CVE-2017-11882.Template.180412.M2 > porcupine.hsb:58cbe7516369d9e79660bda6e576cffd:2738688:Porcupine.Win32.Exploit.CVE-2017-11882.C.99928:73 > porcupine.hsb:5cc0bfe9a8528b1deb2dcaa7691b1794:2621952:Porcupine.Win32.Exploit.CVE-2017-11882.C.100063:73 > porcupine.hsb:140aade63d9cd5cb747845101df9ff85:2395136:Porcupine.Win32.Exploit.CVE-2017-11882.C.100065:73 > porcupine.hsb:0db8aceb5fdf7f22bc31682726c5b071:883200:Porcupine.Win32.Exploit.CVE-2017-11882.C.99936:73 > porcupine.hsb:652fa43a2f71cab80126efc843a98d84:84891:Porcupine.Win32.Exploit.CVE-2017-11882.C.99924:73 > > This is a rather old CVE, what databases do you use for your ClamAV > installation? Perhaps what you have seen recently is a new threat > which has been engineered to avoid some of the existing signatures. > > > We also need guidance: > > > > 1. How to identify the correct file to generate the generic signature, > > especially if files with different name but same exploit has been sent. > > I do not understand the question, but ClamAV looks at a stream of data > or at the contents of files. Except for the purposes of reporting to > you the results of scanning the files, the names of those files are of > no significance to ClamAV. > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
