Ahmed Sonbol

CVE-2017-11882: Malspam delivers Dyzap Infostealer

Blog Post created by Ahmed Sonbol Employee on Dec 5, 2017

Last month, security researchers at Embedi disclosed a new vulnerability in Microsoft Office suite. CVE-2017-11882 resides in the Microsoft Equation editor; a tool that lets users insert and edit mathematical equations inside office documents [1]. If exploited, the vulnerability allows the attacker to run arbitrary code in the context of the current user. Microsoft issued a patch to address the vulnerability in the affected products [2][3]. It didn't take a lot of time to start seeing malspam campaigns trying to leverage CVE-2017-11882 to deliver their final payload as discussed in this blog post by Fortinet.


One of those delivery documents is PI-5460-DPC.doc. In this threat advisory we will go over the host and network behavior using NetWitness Packets and NetWitness Endpoint.


Upon opening the document in a vulnerable Microsoft Word, the vulnerability is exploited and an instance of the vulnerable Equation tool (eqnedt32.exe) is created by svchost.exe:



That is followed by a GET request to retrieve a javascript script:



eqnedt32.exe calls mshta.exe to execute the downloaded script:



When mshta.exe runs, it calls cmd.exe to write a script (A6p.vbs) to the infected machine. wscript.exe runs the newly created script which has the instructions to download the final payload:





The downloaded binary is executed and it starts to communicate with its command and control server:






The post infection traffic is characteristic of dyzap malware (also known as Lokibot). RSA FirstWatch blogged twice about its activity here and here.


Here is a recap of the network activity:



And here is a recap of the host activity:



Thanks to Kent Backman and Justin Lamarre for contributing to this threat advisory.


PI-5460-DPC.doc (SHA256):

  • 3917474eb4b2dd52aad96b76228304b692031180a55f59346808e797ea332305


fafa.exe (SHA256):

  • 1c71868cf97ee2f713d1a445f650d7a829c80e49c529be5bffb3091a3059ff23



  1. http://www.securityweek.com/microsoft-patches-17-year-old-vulnerability-office 
  2. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882