Jump to content

Document Exploit Detection


Recommended Posts

Was wondering why ESET scan usually doesn't detect documents with exploit. For example this file (scan shows clean with 17430):

https://www.virustotal.com/#/file/84a7c1eac6e1a130cb66126fa48258e9c7c8b60a2a5fd0fcd564305775757641/detection

The exec of this sample in a virtual machine successfully download the payload and exec it through the equation editor exploit, and ESET detects the payload post-execution as FareIt using AMS. But I feel like detecting it at early stages is better?

Edited by 0xDEADBEEF
Link to comment
Share on other sites

  • ESET Moderators

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

Link to comment
Share on other sites

7 hours ago, 0xDEADBEEF said:

exec it through the equation editor exploit

This exploit was also patched a few months ago by Microsoft.

Link to comment
Share on other sites

2 hours ago, Peter Randziak said:

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

thanks! originally I intended to ask if ESET has generic exploit detection like other vendors in VT as shown in that webpage. From the updated detection name, I can see what's happening

Link to comment
Share on other sites

33 minutes ago, itman said:

This exploit was also patched a few months ago by Microsoft.

yes... my test machine is still with old office 2007 :rolleyes: BTW this sample is spread through spam, so it is a "real-world" one

Edited by 0xDEADBEEF
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...