{ "id": "1af1242c-fa51-4d53-a9e2-aed9be3d4176", "created_at": "2026-04-06T00:12:10.637103Z", "updated_at": "2026-04-10T03:21:02.279394Z", "deleted_at": null, "sha1_hash": "fd8c2558803ae5e21927454024b078ce74f8e44f", "title": "In depth analysis of malware exploiting CVE-2017-11826 - Gradiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1529163, "plain_text": "In depth analysis of malware exploiting CVE-2017-11826 -\r\nGradiant\r\nArchived: 2026-04-05 18:01:07 UTC\r\nAmong the most common malware entry paths, SPAM campaigns have been identified as some of the principals.\r\nNormally, these campaigns usually incorporate a malicious link or an attached file (usually, an office document\r\nthat contains a malicious macro).\r\nOn this occasion, Gradiant’ Security and Privacy team has obtained and analysed a sample of an office document\r\nthat, instead of incorporating a malicious macro, exploits the 0-day vulnerability identified as CVE-2017-11826\r\nwhose patch was published on October 17, 2017. The use of this exploit allows the attacker to execute malicious\r\ncode without the need of any user interaction.\r\nAlthough it is always difficult to attribute an attack, the evidence suggests that it is probably a Russian botnet\r\nhosted on a US server.\r\nVulnerability analysis\r\nSAMPLE DATA\r\nFilename 2.doc\r\nSize 664KiB (680268 bytes)\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 1 of 13\n\nType RTF\r\nDescription Rich Text Format data, version 1, unknown character set\r\nS.O. WINDOWS\r\nSHA256 cb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5\r\nFirst, the OLE objects embedded in the RTF file attached to the mail of the SPAM campaign have been listed:\r\nSpecifically, the exploit lies in the file “./word/document.xml” belonging to the last object OLE in the previous\r\nfigure (object id =2).\r\nAfter analyzing the contents of the file, exploited vulnerability has been classified as type confusion since it takes\r\nplace in the unexpected object idmap located just after the opening of the label font producing the error in the\r\nOOXML analyzer. Additionally, it has been observed that vulnerability requires special conditions that the\r\nattacker has taken into account, that is, has declared an object OLEObject just before the label font and added an\r\nattribute name with the large enough content (greater or equal to 32 Bytes after the conversion that takes place on\r\nit from UTF-8 to Unicode).\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 2 of 13\n\nIn order to analyze how the attacker exploits the vulnerability, the bytes of the font’s name attribute have been\r\nobserved, obtaining the following hexadecimal representation:\r\nWhich, transformed to unicode and represent them in big endian as it happens in the OOXML’s analyzer, result in\r\nthe following memory address: 0x088888EC\r\nAs you can see in the following image, when the type confusion happens, a pointer is dereferenced by obtaining\r\nthe contents of said memory address, to which the program adds 4 units and the execution flow is transferred to\r\nthe address resulting from said sum:\r\nExploit analysis. Arbitrary code execution\r\nTo control the contents of the memory address 0x088888EC the attackers have used the technique heap spraying\r\nwhich consists of filling a large proportion of the memory with the repetition of a sequence of bytes (called spray),\r\nso as to maximize the probabilities of finding that sequence of bytes in memory when your position can not be\r\npredicted accurately. In this case, the implementation of this technique has consisted of a large set of objects\r\nActiveX wich imports the spray stored in the file activeX1.bin.\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 3 of 13\n\nAs you can see in the following image that shows part of the content of activeX1.bin, the attacker has made heap\r\nspraying of two memory addresses: to which the attacker wants the dereferenced pointer to point (0x088888EC)\r\nand the content that he wants in that memory location (0x729440CB) which is an address belonging to the library\r\nmsvbvm60.dll Decreased by 4 units to compensate for the increase in 4 units accomplished by the vulnerable\r\nOOXML parser code.\r\nThe attackers loads the library “msvbvm60.dll” by its CLSID code as highlighted in the following image. In\r\naddition, it has been observed that said library is only loaded in order to make “ROP” about her (ROP is a\r\nsoftware exploitation technique that allows to evade certain protections, for example: non-executable memory\r\nregions and code signing protections) since this library has disabled DEP y ASLR protections.\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 4 of 13\n\nBy using “msvbvm60.dll” library existing “ROP Gadgets” (grupos de instrucciones que permiten llevar a cabo\r\nla técnica ROP) the attacker gets to give execution permissions to the “shellcode” and redirect the execution flow\r\nto the beginning of it.\r\nIt has been observed that the shellcode simply decrypts and executes the embedded malware (a Portable\r\nExecutable library) and consists of two phases: The first is what is known as “egg hunter”, that means, a code that\r\nlocates and executes another code. In this case, the “egg hunter” locates the second part of the shellcode in\r\nMemory, decipher it and jump to said deciphered second part. The second part looks for the label 0xBABABABA\r\n(which is the marker that the attacker has used to indicate the direction in which the malware starts) and it applies\r\na XOR decryption over all the DWORDs that make it up using the key 0xCAFEBABE until it reaches the end tag\r\nof malware labeled with 0xBBBBBBBB. By last, it uses the key 0xBAADF00D to decipher the document that will\r\nreplace the original one.\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 5 of 13\n\nAs often happens in Portable Executable files, it contains many zeros. So, when encrypting these zeros with the\r\nkey, the key is reflected in the encrypted text itself.\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 6 of 13\n\nAs you can see in the previous image, there are multiple appearances of the little endian  0xBEBAFECA DWORD,\r\nso this implies that, 0xCAFEBABE is the XOR key.\r\nMaking use of this information, a script which performs the extraction and decryption of the embedded file\r\nallowing the later static analysis has been developed.\r\n————————————————– START CODE ———————————————–\r\n#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\nDECODE_KEY=»CAFEBABE».decode(«hex»)\r\nPE_START_TAG=»BA»*6\r\nPE_END_TAG=»BB»*6\r\nINPUT_FILE=»2.doc»\r\nOUTPUT_FILE=»decoded.vir»\r\n#It reads the document bytes\r\nf=open(INPUT_FILE,»rb»)\r\nbytes_doc=f.read()\r\nf.close()\r\n#It extracts the embebbed bynary file\r\npe_encoded=bytes_doc.split(PE_START_TAG.decode(«hex»))[1].split(PE_END_TAG.decode(«hex»))[0]\r\n#It decrypts the embebbed file bytes\r\npe_decoded=»»\r\nfor pos in range(0,len(pe_encoded), 4):\r\ntry:\r\npe_decoded+=chr(ord(pe_encoded[pos])^ord(DECODE_KEY[(pos+3)%4]))\r\npe_decoded+=chr(ord(pe_encoded[pos+1])^ord(DECODE_KEY[(pos+2)%4]))\r\npe_decoded+=chr(ord(pe_encoded[pos+2])^ord(DECODE_KEY[(pos+1)%4]))\r\npe_decoded+=chr(ord(pe_encoded[pos+3])^ord(DECODE_KEY[pos%4]))\r\nexcept IndexError:\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 7 of 13\n\npass\r\n#It saves the embedded malware after its decryption\r\nf=open(OUTPUT_FILE,»wb»)\r\nf.write(pe_decoded)\r\nf.close()\r\n————————————————– END CODE ———————————————–\r\nMalware analysis\r\nNext we analyze the resulting malware.\r\nDLL EMBEDDED\r\nFilename decoded.vir\r\nSize 277KiB (282950 bytes)\r\nType PE (Portable Executable)\r\nCompiled Thu Sep 21 08:21:08 2017\r\nArch. x86\r\nS.O. WINDOWS\r\nSHA256 d6990b2d82680a03ab57cee21e52843872fa770ddf8cfec2e15cf6bef068a61b\r\nFirst, three hardcoded URL directions which belong to the mymyawady.com domain have been identified:\r\nURL FUNCTIONALITY\r\nhttps://cdn1.mymyawady.com/x4/dll/logo.jpg Malicious CAB file\r\nhttps://cdn2.mymyawady.com/x4/dll/readme.txt Malicious CAB file\r\nhttps://cdn3.mymyawady.com/x4/dll/info.php Gate of the C\u0026C\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 8 of 13\n\nThen, a whois query has been made over the attacking domain, identifying that it is of russian origin and It was\r\ncreated during the month before the compilation of the document embedded library file.\r\nIn addition, a DNS historical domain has been obtained, detecting that the day after the creation of the same it\r\npointed to an US IP address (45.77.46.81) from a provider of various cloud services (hxxps://www.vultr.com/) that\r\nthe attackers used to host the malicious load of this malware.\r\nIt has been observed that the malware tries to download the two malicious CAB files hosted in the command and\r\ncontrol server (C\u0026C) under the names: logo.jpg and readme.txt using the following function:\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 9 of 13\n\nWhich keeps in temporary paths:\r\nAnd decompress in the same directory using the system tool “expand.exe” by using the parameters that are\r\nobserved in the image:\r\nBy last, the execution of an avgdate.exe  file which the malware expects, it was created as result of the CAB\r\ndecompression has been identified.\r\nFurther, the library is kept in a loop that runs in a 23 seconds frequency until it manages to download one of these\r\ntwo CAB malwares:\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 10 of 13\n\nIn each iteration, the malicious code collects the following system information.\r\nIt access the Windows registry to obtain the user’s SID.\r\nWhich subsequently builds on the format string: “aSidUserSCompu”:\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 11 of 13\n\nFor example, in the following image you can see an instance of the malware that has filled this string with the\r\ninformation of one of our laboratory machines by including whether or not it has been able to download and run\r\nC\u0026C hosted malware samples. All of this formatted information will be sent to the “gate” by sending a “POST”\r\nrequest over the “news” parameter which the user’s SID is passed.\r\nOn the next screen you can see the “gate” URL address previously mentioned:\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 12 of 13\n\nConclusions\r\nOur team have noticed a slight increase in the number of malicious office documents that do not use macros. That\r\nis why, it is important to keep the software always up to date.\r\nIt is recommended to consult only those documents and links that are trusted and, in case of doubt, contact the\r\nsender by using a secure communication media.\r\nIOCs\r\ncb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5\r\n9209946f3012a37509cb703f55c58b552361f76507acc4786f7b73f6c5092eae\r\nc6de846128c9ee10e7894af47c2855e1dc3c7c19f1db0c960f882ab60f522a2e\r\ncd4679c14349744b0e2bfa4d385afe49c9cb8540196f893f52c8f50c47cddbec\r\nhxxps://cdn1.mymyawady.com/x4/dll/logo.jpg\r\nhxxps://cdn2.mymyawady.com/x4/dll/readme.txt\r\nhxxps://cdn3.mymyawady.com/x4/dll/info.php\r\nAuthor: David Alvarez-Perez, researcher at Gradiant’ Security and Privacy team\r\nSource: https://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nhttps://www.gradiant.org/noticia/analysis-malware-cve-2017/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gradiant.org/noticia/analysis-malware-cve-2017/" ], "report_names": [ "analysis-malware-cve-2017" ], "threat_actors": [], "ts_created_at": 1775434330, "ts_updated_at": 1775791262, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd8c2558803ae5e21927454024b078ce74f8e44f.pdf", "text": "https://archive.orkl.eu/fd8c2558803ae5e21927454024b078ce74f8e44f.txt", "img": "https://archive.orkl.eu/fd8c2558803ae5e21927454024b078ce74f8e44f.jpg" } }