Deep Malware and Phishing Analysis By Joe Security LLC Archived: 2026-04-05 13:21:56 UTC Recently we came across an interesting sample which seems to be related to Elise Malware. Elise is tight to the Dragon Fish and Lotus Blossom APT groups which primary targets governments and defense contractors. Elise is known to infect victims by using the latest exploits available and is often packed with interesting Sandbox evasion techniques. In this blog post, we will dissect the latest version of Elise. The sample under investigation is distributed as an Office document lure. To be more precise in Rich Text Format. https://www.joesecurity.org/blog/8409877569366580427 Page 1 of 11 https://www.joesecurity.org/blog/8409877569366580427 Page 2 of 11 CVE-2018-0802 We start the analysis by having a look at the behavior graph and acknowledge that the process EQNEDT32.EXE was started among Winword.exe: This process is the Microsoft Office Equation Editor. In November 2017 the security company Embedi detected an exploit in EQNEDT32.EXE which later got the identification CVE-2017-11882. Microsoft patched the flaw in November. So, is Elise using this exploit? To answer this question we had a detailed look at the exploit itself. The outcome: no it is not CVE-2017-11882 but rather CVE-2018-0802. CVE-2018-0802? This a second exploit also included in EQNEDT32.EXE which was detected in later December. We extracted the trampoline and shellcode: https://www.joesecurity.org/blog/8409877569366580427 Page 3 of 11 The code renames and loads the PE file (named a.b) previously dropped by Word. The newly loaded code is then injected into IExplorer.exe where the main payload is executed: https://www.joesecurity.org/blog/8409877569366580427 Page 4 of 11 Sandbox Evasions Elise performs a variety of sandbox checks in In IExplorer: VMware backdoor check https://www.joesecurity.org/blog/8409877569366580427 Page 5 of 11 Disk Name Check Check for various Analysis Tools https://www.joesecurity.org/blog/8409877569366580427 Page 6 of 11 Process Check https://www.joesecurity.org/blog/8409877569366580427 Page 7 of 11 Mac Address Check Payloads After passing all the sandbox checks Elise creates an autostart key: https://www.joesecurity.org/blog/8409877569366580427 Page 8 of 11 Add a Proxy to Internet Explorer https://www.joesecurity.org/blog/8409877569366580427 Page 9 of 11 Add a Proxy to Firefox Finally, in function 514D05, 5159AF and 515486 we find the download, upload and command execution handlers. Elise can collect and upload the following data: CPU Usage Ram (size/free) Disk space (size/free) Windows Version Username Locale Timezone SID https://www.joesecurity.org/blog/8409877569366580427 Page 10 of 11 List of tasks List of network adapters List of files on Desktop Final Words Elise is a very advanced piece of malware using for its distribution only the latest exploits. Before the main payload is executed many different Sandbox evasions are performed. The payload and the communication code is injected into IExplorer likely bypassing PFW and HIPS.  Source: https://www.joesecurity.org/blog/8409877569366580427 https://www.joesecurity.org/blog/8409877569366580427 Page 11 of 11 https://www.joesecurity.org/blog/8409877569366580427 Mac Address Check Payloads After passing all the sandbox checks Elise creates an autostart key: Page 8 of 11