rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 { meta: author = "John Davison" description = "Attempts to identify the exploit CVE 2017 11882" reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about" sample = "51cf2a6c0c1a29abca9fd13cb22421da" score = 60 //file_name = "re:^stream_[0-9]+_[0-9]+.dat$" strings: $headers = { 1c 00 00 00 02 00 ?? ?? a9 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 01 01 03 ?? } $font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow //$code = /[\x01-\x7F]{44}/ $winexec = { 12 0c 43 00 } condition: all of them and @font > @headers and @winexec == @font + 5 + 44 } // same as above but for RTF documents rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 { meta: author = "John Davison" description = "Attempts to identify the exploit CVE 2017 11882" reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about" sample = "51cf2a6c0c1a29abca9fd13cb22421da" score = 60 //file_ext = "rtf" strings: $headers = { 31 63 30 30 30 30 30 30 30 32 30 30 ?? ?? ?? ?? 61 39 30 30 30 30 30 30 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 30 33 30 31 30 31 30 33 ?? ?? } $font = { 30 61 30 31 30 38 35 61 35 61 } $winexec = { 31 32 30 63 34 33 30 30 } condition: all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2) } rule packager_cve2017_11882 { meta: author = "Rich Warren" description = "Attempts to exploit CVE-2017-11882 using Packager" reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py" score = 60 strings: $font = { 30 61 30 31 30 38 35 61 35 61 } $equation = { 45 71 75 61 74 69 6F 6E 2E 33 } $package = { 50 61 63 6b 61 67 65 } $header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase condition: uint32be(0) == 0x7B5C7274 // RTF header and all of them }