[clamav-users] ClamAV to detect exploits for the Equation Editor vulnerability in DOC files
Chaminda Indrajith
indrajith at sltidc.lk
Fri Jan 22 11:42:37 UTC 2021
Hi,
Regularly we receive DOC files which contains virus. These virus is not
detected by ClamAV, but Kaspersky catches it as
"HEUR:Exploit.RTF.CVE-2018-0802.gen". When I check the file using rtfobj,
it give the following output.
#rtfobj Balance\ Sheet\ .doc
rtfobj 0.54 on Python 2.7.5 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
============================================================================
===
File: 'Balance Sheet .doc' - size: 2218409 bytes
---+----------+-------------------------------------------------------------
--
id |index |OLE Object
---+----------+-------------------------------------------------------------
--
0 |00000DEAh |format_id: 2 (Embedded)
| |class name: 'Package'
| |data size: 15993
| |OLE Package object:
| |Filename: u'Client.vbs'
| |Source path: u'C:\\fakepath\\Client.vbs'
| |Temp path = u'C:\\fakepath\\Client.vbs'
| |MD5 = '3eea151cada1cf5592942ec92be044f0'
| |EXECUTABLE FILE
---+----------+-------------------------------------------------------------
--
1 |00031BD0h |format_id: 2 (Embedded)
| |class name: 'Equation.3'
| |data size: 3072
| |MD5 = '5527f9576bc4e9aa92c5646d41720008'
| |CLSID: 20E02C00-0000-0000-0C00-000000000004
| |unknown CLSID (please report at
| |https://github.com/decalage2/oletools/issues)
| |Possibly an exploit for the Equation Editor vulnerability
| |(VU#421280, CVE-2017-11882)
---+----------+-------------------------------------------------------------
--
How can we write customized rules to detect these doc file.
Thanks
Chaminda Indrajith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210122/03b932f2/attachment.htm>
More information about the clamav-users
mailing list