[clamav-users] Ppt.Exploit.CVE_2017_0199-6336815-1 FP?
Hajo Locke
Hajo.Locke at gmx.de
Thu Oct 5 08:42:49 UTC 2017
Hello List,
since yesterday we found a lot of malware called
Ppt.Exploit.CVE_2017_0199-6336815-1
Hitrate is extremly increasing. Currently i believe this is a FP.
Signature looks short:
Ppt.Exploit.CVE_2017_0199-6336815-1:0:*:736368656d61732e6f70656e786d6c666f726d6174732e6f72672f6f6666696365646f63756d656e74{-500}7363726970743a
This decodes to:
schemas.openxmlformats.org/officedocument{-500}script:
Unfortunately i cant sent samples of found docx-files, because they are
privat.
Anybody else noticed this behaviour?
Thanks,
Hajo
More information about the clamav-users
mailing list