TROJ_CVE201711882.UHAOBHAW

 Analysis by: Augusto II Remillano

 ALIASES:

HEUR:Exploit.MSOffice.Generic (Kaspersky), Win32/Exploit.CVE-2017-11882.QV trojan (NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Exploit

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Exploit arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

  TECHNICAL DETAILS

File Size:

265,205 bytes

File Type:

DOC

Memory Resident:

No

Initial Samples Received Date:

01 Oct 2018

Arrival Details

This Exploit arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Exploit saves the files it downloads using the following names:

  • %User Profile%\Name.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista, 7, and 8.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Exploit connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.{BLOCKED}01.215:2330/uzo.exe