cbcvebase.
CVE-2017-11882
published 2017-11-15

CVE-2017-11882: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker…

PriorityP194high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.94%
100.0th percentile
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

Affected

10 ranges
VendorProductVersion rangeFixed in
microsoftexcel
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoft_corporationmicrosoft_office
msrcmicrosoft_office_2007_service_pack_3
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016

Detection & IOCsextracted from sources · hover to see the quote

filenametransferencia_swift_87647574684.xla
command%comspec% /q /c 1> 2>&1
  • The exploit uses a buffer overflow to override a return address in the EQNEDT32.EXE stack with a constant address; look for shellcode execution patterns within EQNEDT32.EXE's stack memory.
  • Post-exploitation shellcode calls URLDownloadToFileW() to drop a .js file to the AppData\Roaming directory, then ShellExecuteW() to run it via WScript.exe; monitor for this sequence from EQNEDT32.EXE.
  • Agent Tesla performs anti-analysis checks including CheckRemoteDebuggerPresent(), timing-based VM detection, and loading of sandbox DLLs (SbieDLL.dll, SxIn.dll, Sf2.dll, snxhk.dll, cmdvrt32.dll); presence of these checks in a .NET binary is a strong indicator.
  • The Agent Tesla loader-module is fileless — it is never written to disk; detection should focus on memory scanning of PowerShell processes for the PROJETOAUTOMACAO.VB namespace and the VAI() method call.
  • Malicious spam delivering CVE-2017-11882 exploits was the most prevalent malware detection in 2018 (Kaspersky verdict: Win32.CVE-2017-11882); use this AV verdict as a hunt/detection pivot.
  • ChessMaster campaign used CVE-2017-11882 alongside DDEAUTO, Microsoft Office Frameset, and Link auto update as entry vectors; detections should cover all four techniques in spear-phishing document analysis.
  • ·The initial Excel document exploits CVE-2017-0199 (not CVE-2017-11882) to download an RTF file; CVE-2017-11882 is exploited in the second stage within the downloaded RTF document, not the initial attachment.
  • ·ANEL version 5.1.2 rc1 uses HTTPS for C2 communications to prevent capture of data in clear text, unlike earlier versions; network-based detection of ANEL C2 traffic must account for TLS-encrypted channels.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.