Hi,

Regularly we receive DOC files which contains virus. These virus is not detected by ClamAV, but Kaspersky catches it as “HEUR:Exploit.RTF.CVE-2018-0802.gen”.  When I check the file using rtfobj, it give the following output.

#rtfobj Balance\ Sheet\ .doc

rtfobj 0.54 on Python 2.7.5 - http://decalage.info/python/oletools

THIS IS WORK IN PROGRESS - Check updates regularly!

Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================

File: 'Balance Sheet .doc' - size: 2218409 bytes

---+----------+---------------------------------------------------------------

id |index     |OLE Object

---+----------+---------------------------------------------------------------

0  |00000DEAh |format_id: 2 (Embedded)

   |          |class name: 'Package'

   |          |data size: 15993

   |          |OLE Package object:

   |          |Filename: u'Client.vbs'

   |          |Source path: u'C:\\fakepath\\Client.vbs'

   |          |Temp path = u'C:\\fakepath\\Client.vbs'

   |          |MD5 = '3eea151cada1cf5592942ec92be044f0'

   |          |EXECUTABLE FILE

---+----------+---------------------------------------------------------------

1  |00031BD0h |format_id: 2 (Embedded)

   |          |class name: 'Equation.3'

   |          |data size: 3072

   |          |MD5 = '5527f9576bc4e9aa92c5646d41720008'

   |          |CLSID: 20E02C00-0000-0000-0C00-000000000004

   |          |unknown CLSID (please report at

   |          |https://github.com/decalage2/oletools/issues)

   |          |Possibly an exploit for the Equation Editor vulnerability

   |          |(VU#421280, CVE-2017-11882)

---+----------+---------------------------------------------------------------

How can we write customized rules to detect these doc file.

Thanks

Chaminda Indrajith