CVE-2017-11882 Will Never Die

Aug. 13, 2025, 2:47 p.m.

Description

The report discusses the persistent exploitation of CVE-2017-11882, a remote code execution vulnerability affecting Microsoft Office's Equation Editor. Despite being an old vulnerability, it continues to be used by attackers to spread modern malware. The analysis focuses on a malicious Excel file that exploits this vulnerability without using VBA macros. The file contains an obfuscated payload within an embedded object, which is identified as the Equation Editor exploit. Further investigation reveals that the malware downloads a VIPKeyLogger, a type of keylogger and stealer, with specific configuration details provided.

External References

https://isc.sans.edu/diary/rss/32196
https://otx.alienvault.com/pulse/689c6f069882dc769770ff8e
Tags
obfuscation
exploit
CVE-2017-11882
keylogger
microsoft office
vipkeylogger
2025-08-13
equation editor

Date

  • Created: Aug. 13, 2025, 10:55 a.m.
  • Published: Aug. 13, 2025, 10:55 a.m.
  • Modified: Aug. 13, 2025, 2:47 p.m.

Indicators

  • 4fe60a82350a24cc0bfeb1a9df86a751cec9b7307035f90b0a08959a16a1fc7c
  • 19dac0de92478f91420db6588d40ec9a5115b4a8777cf7ba9dd4ae35059a706d
  • 213.209.150.18
  • http://213.209.150.18/SoNZ984ijTf8DPr.exe
  • wxtp.store
  • hosting2.ro.hostsailor.com
Download all indicators here!

Attack Patterns

  • VIPKeyLogger

Linked vulnerabilities

CVE-2017-11882

None
Published: