cbcvebase.
CVE-2016-7193
published 2016-10-14

CVE-2016-7193: Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, Word…

PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
57.70%
99.0th percentile
Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, Office Web Apps Server 2013 SP1, and Office Online Server allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."

Affected

22 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftword
microsoftword
microsoftword
microsoftword
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_compatibility_pack_service_pack_3
msrcmicrosoft_office_online_server_2016
msrcmicrosoft_office_web_apps_2010_service_pack_2
msrcmicrosoft_office_web_apps_server_2013_service_pack_1
msrcmicrosoft_office_word_viewer
msrcmicrosoft_word_2007_service_pack_3
msrcmicrosoft_word_2010_service_pack_2
msrcmicrosoft_word_2013_rt_service_pack_1
msrcmicrosoft_word_2013_service_pack_1
msrcmicrosoft_word_2016
msrcmicrosoft_word_2016_for_mac
msrcmicrosoft_word_for_mac_2011
msrcword_automation_services_on_microsoft_sharepoint_server_2010_service_pack_2
msrcword_automation_services_on_microsoft_sharepoint_server_2013_service_pack_1

Detection & IOCsextracted from sources · hover to see the quote

hash66de8e2f1d5ebbf3f8c511d5cd6394e24be3c694e78d614dfe703f8aa198906f
urlhxxp://paneltestghelp.xyz:80/eval/server/readonly/fre.php
domainpaneltestghelp.xyz
path%APPDATA%\7B4331\1C8BBC.exe
hashda1a6747a3329c3a317d4bd7ecf029e89bd76192075f84834563103a54bac968
hash2e65f8fc7901505dd4225ec66cca0ef308f2b6fbe48d37f5055775854bf7a5f8
hasha3c3abcd461d00e1f928e375770e39e3a33f719d7287a2fee661d82ce8de1c56
hash7b684ad97bb9f5093e5cfb100352ad2f0ec3dfce63232207daf0aa736d6438c9
hash14a6e04a60b1bb5f4d0fb3fffa240b7b34bf9c0b8504da19caeb31182510c139
hash1ae6aa92ce8ee9a2ab78631663fa5a9bdcc14490c4c5fe799b41d26455b5b696
hash4f2c10b64d4f4b56d56b5a271331c92484b6ddf8c4eb9f56669ed60545a4c06d
hashb1da2cb4fcee52cdc94c06325c339ac11a3fb1e399e1ed5a2a55107f5f64867f
hash41c4483cfcc0b5a10504aa137ec3824d139663b7ec318d5e1fb6c9f5db8af8f9
hashf07f87ab68482d329eeac5525ea5f189bcd720d2b2d149db61ab81ae04be957a
hashbe81741ae3c7c2c5000785a2573c901068a2906054690ac22119ac794aa9e8e2
hashcd16e420fbc39b63de93198cdb1265c1bfe83119c7d4d75d5501465cdd0847f1
hashb330fadeb337e9fb5aa9f8046462e3d1d418946fd6237bc252a80a2d4fb2fff7
hash629d1afbedd7cc082549d5c3fc3926b6b4e55abc3c07f8d994a791893a2fd530
hash9f48ce01ac99033c03e9aa983c09fa273eae0e168e55de8cc364311ae4fc88b9
hashdd783bcdbc81bc605cf07545a01273596d4e51b198874253815069cd6708b2fa
hash59011fa80db84cea54bc6ec7f7bc689d916f04e8df9950b259ad524142225731
hash7aa0abedd75c46680ac65814d9433a04bb9f6bc6f094d66cc33a918f32dcb2fa
hashad3af8a7ab469fa930d0873475214c3160f52b17c06f296d6ce9cc6fc92e8a79
hash89a1264bd7facf02d48aff46724a0215c2fb1974d06451cebefdb2ea7ea9a71a
hashc53bf11adb48a00393c30a0902716e0088f650750349f5966ba3b60a0fa17487
hash4a7d6c770c5fdbb32534b535efe0324e3bc25a8bcd3551b7fe0ff3610ee81299
hash6077c3ed4dc67526f89b2c59fc16b389530a73b326f63fff17ae7c824b7770fd
hash11836837753c754997adf8ccf4fa8ba824e57725f56fbcd3b0d903e1fa30ac5b
hash737d1468b20dc39300bc2be38285b6482940d2be9ae59b7dc984cf4dc6d82053
hash415b9e72811cd7c50366d9c9038df02fe3bbfc6446ef42b099d85ea576fbd35d
hash84a2ded87681e65be35994ea26f4b2287e52438bbeebaac784c291196a6f94c6
hash9c62f4947a572356f43f71fb55f2b702b78c2e1688c67eff89c36da50137ed21
hashc201e4bb7b68b4655ab7ac85c8a7c93abe2238ec3d24914d86e8a543b6c6abbd
hash17ae8d128938131ebc944f5d77be7009fd05c8831f88ef3558cc9c00f0633f97
hashdbc97df1e5036ac572d8a247a6b073ab1f1dabd20676443598135c6743534028
hash79316e4c2601a5721d5d6ada0f152790ad44aa9ac5badf17e12c7825fb1f46aa
hasha406f0208c914ff28f8e30eda539acb6abd23bbdecf704be4b77615a27f62e8d
hash552fe8b5fd175822d4479552078331dbfb16881fea9514377a802f3cce87ac02
hash27290fd934092cf1ca2a242e6847665a16771376af8f5c81ef1c851463e77709
hasha0e529ed847b78fd68a871688a7e99e6abc87295c671a3e2d02a61a1e04f5ce9
hash5c1db6ce5989645bbc8cb8489dee2fb99eba7b4093eaad96cd5a6c692a53c245
hashc343e92d30c1374c631efa8cf612faf5567e8bd66330e1ff58ac9296c3373304
hashecc9526b380bd109dbcb3d9c4635c1866234d302658758d6ecf4e927a12af9a1
otherclassid: 1EFB6596-857C-11D1-B16A-00C0F0283628
  • Malicious RTF samples insert 0x0d (carriage return) bytes within hexadecimal OLE data in the {\objdata} block to evade parsers. Scanners should strip non-ASCII bytes before parsing hex streams in RTF objdata.
  • Malicious RTF samples insert ignored ASCII characters such as '.}' and '}' within the OLE data stream to cause third-party parsers to truncate the OLE prematurely, evading detection. Validate RTF parsers handle these characters correctly.
  • Presence of ActiveX classid 1EFB6596-857C-11D1-B16A-00C0F0283628 (MSCOMCTL TabStrip) in OOXML ActiveX XML files embedded within an RTF-delivered OLE object is a strong indicator of CVE-2016-7193 exploitation.
  • Dropped payload path %APPDATA%\7B4331\1C8BBC.exe is a specific Loki Bot dropper artifact from this campaign; monitor for file creation at this path.
  • Network connections to paneltestghelp.xyz on port 80 at path /eval/server/readonly/fre.php indicate active Loki Bot C2 communication from a successfully exploited host.
  • ·The ROP chain addresses (e.g. 0x7c3651eb, 0x7c372b02, etc.) are specific to a particular version of a Windows DLL loaded at a fixed base address. These addresses will differ across OS/patch levels and are not universally applicable for detection.
  • ·The initial VirusTotal detection rate for the malicious RTF was only 3 out of 45 engines, meaning most AV/security products at time of discovery failed to detect the exploit due to RTF malformations. Signature-only defenses may be insufficient.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.