Old Microsoft Office vulnerability CVE-2017-11882 actively being exploited in the wild


Attacks exploiting an one and half year old vulnerability in Microsoft office (CVE-2017-11882), are active in the wild again.

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user.

The vulnerability is caused by the Equation Editor, which fails to properly handle OLE objects in memory. This allows the attacker to execute arbitrary code in RTF files without interaction. Microsoft had patched this on 11/14/2017 . Recently Sonicwall Capture Labs threat research team observed a wave of exploits in the wild attacking this vulnerability.

The malicious rtf file has equation object

Microsoft has this warning about equation editor.

In the current wave of attacks, the malicious office document files are attached in the emails. The sender lures the user to open the file. The file has some content but the in background it exploits this vulnerability to download malicious payload on the victims computer.

The spam emails look like this:








The file when opened looks like this

The rtf file drops file and contacts the attacker-controlled server.

These types of attacks are a reminder to the importance of keeping systems updated with latest security patches.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

  • SPY 5046 Malformed-File rtf.MP.22
  • GAV MalAgent.J_37354
  • GAV CB_3 (Exploit)
  • GAV H_12144 (Trojan)
  • GAV CB_4 (Exploit)
  • GAV CB_5 (Exploit)
  • GAV CB_6 (Exploit)
  • GAV BX_10 (Exploit)
  • GAV BS_4 (Exploit)
  • GAV AS (Exploit)

SonicWall Capture Advanced Threat Protection (ATP) with RTDMI provides protection against this threat.

Threat Graph:


Rtf files :










Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.