File Name

Source

SHA256

Detection Name / Status

template.doc

11a183f9b8b834b6c959402cb83af59aa38d50d7

TROJ_ARTIEF.JEJOTQ

7500.exe

hxxp://btt5sxcx90.com/7500.exe

5e9c76ef1c8c09d9c60ed61ce7998a16afef7c7b

TSPY_DRIDEX.SLP

sample.doc

hxxp://btt5sxcx90.com/sample.doc

d298e996d094640c87618d15c44b57d8391a357

non-malicious word document

template.doc

dd1328da51b4cc4db1bb0bc65523e46cdf759a4a

TROJ_ARTIEF.JEJOTQ

last.exe

hxxp://95.46.99.199/last.exe

already inaccessible

q.doc

hxxp://95.46.99.199/q.doc

already inaccessible

File Layer

The table below shows the information about the detections done by VSAPI:

SHA256	Detection Name
13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575	TROJ_CVE20170199.A
3c0a93d05b3d0a9564df63ed6178d54d467263ad6e3a76a9083a43a7e4a9cca5	TROJ_CVE20170199.A
b3b3cac20d93f097b20731511a3adec923f5e806e1987c5713d840e335e55b66	TROJ_CVE20170199.B/C
d3cba5dcdd6eca4ab2507c2fc1f1f524205d15fd06230163beac3154785c4055	TROJ_CVE20170199.B/C
b9147ca1380a5e4adcb835c256a9b05dfe44a3ff3d5950bc1822ce8961a191a1	TROJ_CVE20170199.B/C
4453739d7b524d17e4542c8ecfce65d1104b442b1be734ae665ad6d2215662fd	TROJ_CVE20170199.A
b9b92307d9fffff9f63c76541c9f2b7447731a289d34b58d762d4e28cb571fbd	TROJ_CVE20170199.B/C

Network Layer

The table below shows the products that can stop the threat on the Network Layer:

Product	Details
WRS Blocking	Known related C&C has been blocked
Deep Security	Security Update 17-015 – Includes coverage for CVE-2017-0199 and some specific protection for MS Word in addition to some other non-related vulnerabilities
Deep Discovery Inspector	Rule 18 - DNS response of a queried malware Command and Control domain
TippingPoint	Filter 27726 – HTTP: Microsoft Word RTF objautlink Memory Corruption Vulnerability Filter 27841 – HTTP: RTF File Implementing objautlink and URL Monikers Filter 27842 – HTTP: Suspicious Obfuscated Powershell Execution

Microsoft Office Zero-day CVE-2017-0199 threat information

Product / Version includes:

Deep Discovery Inspector3.8 , Deep Security10.1

Last updated: 2021/08/28

Solution ID: KA-0007834

Category: Remove a Malware / Virus

Summary

CVE-2017-0199 is a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office. This flaw is currently being exploited by the notorious DRIDEX banking trojan.

Below are the information that can help in preventing this zero-day threat:

EXPAND ALL

Payload

The table below shows the files dropped when a machine has been affected by CVE-2017-0199:

File Name	Source	SHA256	Detection Name / Status
template.doc	-	11a183f9b8b834b6c959402cb83af59aa38d50d7	TROJ_ARTIEF.JEJOTQ
7500.exe	hxxp://btt5sxcx90.com/7500.exe	5e9c76ef1c8c09d9c60ed61ce7998a16afef7c7b	TSPY_DRIDEX.SLP
sample.doc	hxxp://btt5sxcx90.com/sample.doc	d298e996d094640c87618d15c44b57d8391a357	non-malicious word document
template.doc	-	dd1328da51b4cc4db1bb0bc65523e46cdf759a4a	TROJ_ARTIEF.JEJOTQ
last.exe	hxxp://95.46.99.199/last.exe	-	already inaccessible
q.doc	hxxp://95.46.99.199/q.doc	-	already inaccessible

Available Solutions

File Layer

The table below shows the information about the detections done by VSAPI:

SHA256	Detection Name
13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575	TROJ_CVE20170199.A
3c0a93d05b3d0a9564df63ed6178d54d467263ad6e3a76a9083a43a7e4a9cca5	TROJ_CVE20170199.A
b3b3cac20d93f097b20731511a3adec923f5e806e1987c5713d840e335e55b66	TROJ_CVE20170199.B/C
d3cba5dcdd6eca4ab2507c2fc1f1f524205d15fd06230163beac3154785c4055	TROJ_CVE20170199.B/C
b9147ca1380a5e4adcb835c256a9b05dfe44a3ff3d5950bc1822ce8961a191a1	TROJ_CVE20170199.B/C
4453739d7b524d17e4542c8ecfce65d1104b442b1be734ae665ad6d2215662fd	TROJ_CVE20170199.A
b9b92307d9fffff9f63c76541c9f2b7447731a289d34b58d762d4e28cb571fbd	TROJ_CVE20170199.B/C

Network Layer

The table below shows the products that can stop the threat on the Network Layer:

Product	Details
WRS Blocking	Known related C&C has been blocked
Deep Security	Security Update 17-015 – Includes coverage for CVE-2017-0199 and some specific protection for MS Word in addition to some other non-related vulnerabilities
Deep Discovery Inspector	Rule 18 - DNS response of a queried malware Command and Control domain
TippingPoint	Filter 27726 – HTTP: Microsoft Word RTF objautlink Memory Corruption Vulnerability Filter 27841 – HTTP: RTF File Implementing objautlink and URL Monikers Filter 27842 – HTTP: Suspicious Obfuscated Powershell Execution

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Microsoft Office Zero-day CVE-2017-0199 threat information

Payload

Available Solutions

File Layer

Network Layer

Microsoft Office Zero-day CVE-2017-0199 threat information

Product / Version includes:

Summary

Payload

Available Solutions

File Layer

Network Layer