{
	"id": "51d51687-7af4-499b-9c67-0d56f9c03558",
	"created_at": "2026-04-06T00:18:44.272475Z",
	"updated_at": "2026-04-10T03:20:26.090623Z",
	"deleted_at": null,
	"sha1_hash": "baa8caf0cc90d1706ba9b6707b721482506e16c6",
	"title": "CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 427081,
	"plain_text": "CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2017-04-11 · Archived: 2026-04-05 22:58:56 UTC\r\nWritten by: Genwei Jiang, Rahul Mohandas, Jonathan Leathery, Alex Berry, Lennard Galang\r\nFireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously\r\nundisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic\r\nscript containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye\r\nhas observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from\r\ndifferent well-known malware families.\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed\r\nwith the release of a patch by Microsoft to address the vulnerability, which can be found here.\r\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network\r\nproducts detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from\r\nMicrosoft.\r\nAttack Scenario\r\nThe attack occurs in the following manner:\r\n1. A threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded\r\nlink object\r\n2. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a\r\nmalicious HTA file\r\n3. The file returned by the server is a fake RTF file with an embedded malicious script\r\n4. Winword.exe looks up the file handler for application/hta through a COM object, which causes the\r\nMicrosoft HTA application (mshta.exe) to load and execute the malicious script\r\nIn the two documents that FireEye observed prior to the initial blog acknowledging these attacks, malicious scripts\r\nterminated the winword.exe processes, downloaded additional payloads, and loaded decoy documents. The\r\noriginal winword.exe process was terminated to conceal a user prompt generated by the OLE2link. Figure 1\r\nshows this prompt.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 1 of 7\n\nFigure 1: User prompt hidden by the Visual Basic script\r\nDocument 1 - (MD5: 5ebfd13250dd0408e3de594e419f9e01)\r\nThe first malicious document identified by FireEye had three stages. An embedded OLE2 link object causes\r\nwinword.exe to reach out to the following URL to download the stage one malicious HTA file:\r\nhttp[:]//46.102.152[.]129/template.doc\r\nOnce downloaded, the malicious HTA file is processed by the “application/hta” handler. The highlighted line in\r\nFigure 2 shows the first download occurring, followed by the additional malicious payloads.\r\nFigure 2: Live attack scenario\r\nOnce downloaded, the template file was stored in the user’s temporary internet files with the name\r\ntemplate[?].hta, where [?] is determined at run time.\r\nThe Logic Bug\r\nMshta.exe is responsible for handling the Content-Type “application/hta,” parsing the content, and executing the\r\nscript. Figure 3 shows winword.exe querying registry value of CLSID for the “application/hta” handler.\r\nFigure 3: Winword query registry value\r\nWinword.exe makes a request to the DCOMLaunch service, which in turn causes the svchost.exe process hosting\r\nDCOMLaunch to execute mshta.exe. Mshta.exe then executes the script embedded in the malicious HTA\r\ndocument. Figure 4 shows the deobfuscated VBScript from the first stage download.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 2 of 7\n\nFigure 4: First document, stage one VBScript\r\nThe script shown in Figure 4 performs the following malicious actions:\r\n1. Terminates the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1.\r\n2. Downloads a VBScript file from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to\r\n%appdata%\\Microsoft\\Windows\\maintenance.vbs\r\n3. Downloads a decoy document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc and saving\r\nit to %temp%\\document.doc\r\n4. Cleans up the Word Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft Word will restart\r\nnormally\r\n5. Executes the malicious stage two VBScript: %appdata%\\Microsoft\\Windows\\maintenance.vbs\r\n6. Opens the decoy document, %temp%\\document.doc, to hide the malicious activity from the user\r\nOnce executed, the downloaded stage two VBScript (ww.vbs/maintenance.vbs) performs the following actions:\r\n1. Writes an embedded obfuscated script to %TMP%/eoobvfwiglhiliqougukgm.js\r\n2. Executes the script\r\nThe obfuscated eoobvfwiglhiliqougukgm.js script performs the following actions when executed:\r\n1. Attempts to delete itself from the system\r\n2. Attempts to download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most 44 times), and save\r\nthe file to %TMP%\\dcihprianeeyirdeuceulx.exe\r\n3. Executes %TMP%\\dcihprianeeyirdeuceulx.exe\r\nFigure 5 shows the process execution chain of events.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 3 of 7\n\nFigure 5: Process creation events\r\nThe final payload utilized in this malware is a newer variant of the LATENTBOT malware family. Additional\r\ndetails of the updates to this malware follow the Document 2 walkthrough.\r\nMD5 Size Name Description\r\n5ebfd13250dd0408e3de594e419f9e01 37,523 hire_form.doc\r\nMalicious\r\ndocument\r\nfb475f0d8c8e9bf1bc360211179d8a28 27,429 template.doc/template[?].hta\r\nMalicious HTA\r\nfile\r\n984658e34e634d56423797858a711846 5,704 ww.vbs/maintenance.vbs\r\nStage two\r\nVBScript\r\n73bf8647920eacc7cc377b3602a7ee7a 13,386 questions.doc/document.doc Decoy document\r\n11fb87888bbb4dcea4891ab856ac1c52 5,292 eoobvfwiglhiliqougukgm.js Malicious script\r\na1faa23a3ef8cef372f5f74aed82d2de 388,096\r\nwood.exe/\r\ndcihprianeeyirdeuceulx.exe\r\nFinal payload\r\n15e51cdbd938545c9af47806984b1667 414,720\r\nwood.exe/\r\ndcihprianeeyirdeuceulx.exe\r\nUpdated final\r\npayload\r\nTable 1: First document file metadata\r\nThe LATENTBOT Payload\r\nThe payload associated with the first document is an updated version of the LATENTBOT malware family.\r\nLATENTBOT is a highly-obfuscated BOT that has been in the wild since 2013.\r\nThe newer version of the LATENTBOT has different injection mechanisms for Windows XP (x86) and Windows\r\n7 operating systems:\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 4 of 7\n\nAttrib.exe patching – The bot calls Attrib.exe, patches the entry in memory, and inserts a JMP instruction\r\nto transfer control to the mapped section. To map the section in the address space of atrrib.exe it uses\r\nZwMapViewOfSection().\r\nSvchost code Injection – Attrib.exe starts the svchost.exe process in suspended mode, creates space, and\r\nallocates code by calling ZwMapViewOfSection().\r\nControl transfer – It then uses SetThreadContext() to modify the OEP of the primary thread, which will\r\nbe executed in the remote process to trigger code execution.\r\nBrowser injection – A similar process is used to inject the final payload into the default web browser with\r\nthe help of NtMapVIewOfSection().\r\nIn Windows 7 or later operating systems, the bot does not use attrib.exe. Rather, it injects code into svchost.exe\r\nfollowed by launching the default browser with malicious payload by leveraging NtMapViewOfSection().\r\nThis variant then connects to the following command and control (C2) server:\r\nUpon successful communication with the C2 server, LATENTBOT generates a beacon. One of the decrypted\r\nbeacons are as follows with an updated version number of 5015:\r\nAt the time of analysis, the C2 server was offline. The bot comes with a highly modular plugin architecture and\r\nhas been associated with the “Pony” campaigns as an infostealer.\r\nAs of April 10, 2017, the malware hosted at www.modani[.]com/media/wysiwyg/wood.exe has been updated and\r\nthe C2 server has been moved to: 217.12.203[.]100.\r\nDocument 2 - (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 5 of 7\n\nThe second malicious document identified by FireEye consisted of two malicious stages. The initial stage reached\r\nout to the following URL to download the stage one malicious HTA file:\r\nhttp[:]//95.141.38[.]110/mo/dnr/tmp/template.doc\r\nThis file is downloaded into the user’s temporary internet files directory with the name template[?].hta, where [?]\r\nis determined at runtime. Once downloaded, winword.exe utilizes mshta.exe to parse the file. mshta.exe parses\r\nthrough file finding tags and executes the contained script. Figure 6 shows the deobfuscated script.\r\nFigure 6: Second document, first stage VBScript\r\nFigure 6 shows the following malicious actions:\r\n1. Terminate the winword.exe process with taskkill.exe to hide the prompt shown in Figure 1\r\n2. Download an executable from http[:]//95.141.38[.]110/mo/dnr/copy.jpg, saving it to\r\n'%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winword.exe'\r\n3. Download a document from http[:]//95.141.38[.]110/mo/dnr/docu.doc, saving it to %temp%\\document.doc\r\n4. Clean up the Word Resiliency keys for Word versions 15.0 and 16.0, so that Microsoft Word will restart\r\nnormally\r\n5. Execute the malicious payload at '%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\winword.exe'\r\n6. Open the decoy document, %temp%\\document.doc, to hide the malicious activity from the user\r\nExamination of the malicious payload revealed that it is a variant of the dropper for what Microsoft calls\r\nWingBird, which has similar characteristics as FinFisher. The malware is heavily obfuscated with several anti-analysis measures, including a custom VM to slow analysis. A blog post by \"Artem\" covers a payload driver of\r\nWingBird. The blog author briefly mentions the protection techniques of the dropper, which match this sample.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 6 of 7\n\nMD5 Size Name Description\r\nc10dabb05a38edd8a9a0ddda1c9af10e 70,269\r\nСПУТНИК\r\nРАЗВЕДЧИКА.doc\r\nMalicious\r\ndocument\r\n9dec125f006f787a3f8ad464d480eed1 27,500 template.doc Malicious HTA file\r\nacde6fb59ed431000107c8e8ca1b7266 1,312,768 copy.jpg/winword.exe Final payload\r\ne01982913fbc22188b83f5f9fadc1c17 6,220,783 docu.doc/document.doc Decoy document\r\nTable 2: Second document metadata\r\nConclusion\r\nFireEye observed CVE-2017-0199, a vulnerability in Microsoft Word that allows an attacker to execute a\r\nmalicious Visual Basic script. The CVE-2017-0199 vulnerability is a logic bug and bypasses most mitigations.\r\nUpon execution of the malicious script, it downloads and executes malicious payloads, as well as displays decoy\r\ndocuments to the user. The two documents achieve execution of their malicious payloads, with one containing\r\nLATENTBOT and the other containing WingBird/FinFisher. The malicious document contained only a link to the\r\nattacker controlled server, showing the advantage of FireEye’s MVX engine to detect multi-stage attacks. Further\r\ncampaigns leveraging this attack have been observed prior to patch availability, but are not covered in this blog.\r\nWe recommend that Microsoft Office users apply the patch as soon as possible.\r\nAcknowledgement\r\nThank you to Michael Matonis, Dhanesh Kizhakkinan, Yogesh Londhe, Swapnil Patil, Joshua Triplett, and Tyler\r\nDean from FLARE Team, FireEye Labs Team, and FireEye iSIGHT Intelligence for their contributions to this\r\nblog. Thank you as well to everyone who worked with us at the Microsoft Security Response Center (MSRC).\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html"
	],
	"report_names": [
		"cve-2017-0199-hta-handler.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434724,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/baa8caf0cc90d1706ba9b6707b721482506e16c6.pdf",
		"text": "https://archive.orkl.eu/baa8caf0cc90d1706ba9b6707b721482506e16c6.txt",
		"img": "https://archive.orkl.eu/baa8caf0cc90d1706ba9b6707b721482506e16c6.jpg"
	}
}