cbcvebase.
CVE-2015-2545
published 2015-09-09

CVE-2015-2545: Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted EPS image, aka "Microsoft Office…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
86.05%
99.7th percentile
Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted EPS image, aka "Microsoft Office Malformed EPS File Vulnerability."

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice

Detection & IOCsextracted from sources · hover to see the quote

hasha67220bcf289af6a99a9760c05d197d09502c2119f62762f78523aa7cbc96ef1
hash07d5509988b1aa6f8d5203bc4b75e6d7be6acf5055831cc961a51d3e921f96bd
hashb8abf94017b159f8c1f0746dca24b4eeaf7e27d2ffa83ca053a87deb7560a571
hashd486ed118a425d902044fb7a84267e92b49169c24051ee9de41327ee5e6ac7c2
hashfd8394b2ff9cd00380dc2b5a870e15183f1dc3bd82ca6ee58f055b44074c7fd4
hash290ac98de80154705794e96d0c6d657c948b7dff7abf25ea817585e4c923adb2
path%PROGRAMDATA%\Microsoft\DeviceSync\VMwareCplLauncher.exe
path%PROGRAMDATA%\Microsoft\DeviceSync\vmtools.dll
path%PROGRAMDATA%\Microsoft\DeviceSync\MSBuild.exe
filename9PT568.dat
filenameTPX498.dat
filenameedg499.dat
filenameTPX499.dat
urlhxxp://feeds.rapidfeeds[.]com/88604/
ip185.203.118.115
url//e3e7e71a0b28b5e96cc492e636722f73//4sVKAOvu3D//ABDYot0NxyG.php
url\e3e7e71a0b28b5e96cc492e636722f73\4sVKAOvu3D\UYEfgEpXAOE.php
hash13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0
hash4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2
hash9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e
hash0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead
hash7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4
hashc707716afde80a41ce6eb7d6d93da2ea5ce00aa9e36944c20657d062330e13d8
hash0414bd2186d9748d129f66ff16e2c15df41bf173dc8e3c9cbd450571c99b3403
domainsent.leeh0m[.]org
domainfound.leeh0m[.]org
port443
mutex40EM76iR9
filenamesamsung.hlp
filenamessMUIDLL.dll
filenameRasTls.exe
  • BADNEWS C2 beacon contains victim info string with format: uuid=[ID]#un=[Username]#cn=[Hostname]#on=[OS Version]#lan=[IP Address]#nop=#ver=1.0 — hunt for HTTP POST bodies matching this pattern
  • BADNEWS persistence: detect creation of a scheduled task named 'BaiduUpdateTask1' that runs every minute, created by vmtools.dll
  • BADNEWS drops files to %PROGRAMDATA%\Microsoft\DeviceSync\ — monitor for creation of VMwareCplLauncher.exe, vmtools.dll, and MSBuild.exe in that path
  • BADNEWS C2 URI pattern: hardcoded paths with double-slash or backslash separators and a 32-char hex directory segment — detect HTTP requests matching '//[a-f0-9]{32}//[A-Za-z0-9]+//*.php'
  • SPIVY (Poison Ivy variant) network handshake: first byte indicates 1–16 bytes of pseudo-random padding prepended before the 256-byte challenge-response; first byte × 2 = second control byte — detect non-standard Poison Ivy handshake sizes (e.g., 267 bytes total)
  • SPIVY shellcode decoding: single-byte addition of 0x99, XOR with 0xD4, then subtract 0x33 — use this sequence to identify or decode SPIVY shellcode blobs
  • CVE-2015-2545 EPS exploit: detect WINWORD.EXE spawning unexpected child processes or dropping EXE/DLL files, as the exploit executes shellcode embedded in a crafted EPS image within a DOCX
  • CVE-2015-2545 EPS exploit bypasses ASLR and DEP — standard memory-protection bypass detections should be tuned for PostScript/EPS processing in Office applications
  • ·BADNEWS dead drop resolver URLs are hardcoded per sample and change across variants; the specific URL observed (feeds.rapidfeeds[.]com/88604/) may be sinkholed or inactive
  • ·BADNEWS C2 IP (185.203.118.115) is derived after four decryption steps from the dead drop resolver; the actual C2 may rotate and requires decryption of the dead drop content to obtain
  • ·SPIVY C2 domains (leeh0m[.]org third-levels) were created in late February 2016 and may no longer be active; verify current resolution before blocking

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.