Jump to content

Document Exploit Detection

0xDEADBEEF
 Share

Recommended Posts

0xDEADBEEF

0xDEADBEEF 43

Posted
Posted (edited)

Was wondering why ESET scan usually doesn't detect documents with exploit. For example this file (scan shows clean with 17430):

https://www.virustotal.com/#/file/84a7c1eac6e1a130cb66126fa48258e9c7c8b60a2a5fd0fcd564305775757641/detection

The exec of this sample in a virtual machine successfully download the payload and exec it through the equation editor exploit, and ESET detects the payload post-execution as FareIt using AMS. But I feel like detecting it at early stages is better?

Edited by 0xDEADBEEF
Link to comment
Share on other sites
  • ESET Moderators
Peter Randziak

Peter Randziak 1,130

Posted
  • ESET Moderators
Posted

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
7 hours ago, 0xDEADBEEF said:

exec it through the equation editor exploit

This exploit was also patched a few months ago by Microsoft.

Link to comment
Share on other sites
0xDEADBEEF

0xDEADBEEF 43

Posted
  • Author
Posted
2 hours ago, Peter Randziak said:

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

thanks! originally I intended to ask if ESET has generic exploit detection like other vendors in VT as shown in that webpage. From the updated detection name, I can see what's happening

Link to comment
Share on other sites
0xDEADBEEF

0xDEADBEEF 43

Posted
  • Author
Posted (edited)
33 minutes ago, itman said:

This exploit was also patched a few months ago by Microsoft.

yes... my test machine is still with old office 2007 :rolleyes: BTW this sample is spread through spam, so it is a "real-world" one

Edited by 0xDEADBEEF
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...