0xDEADBEEF

Document Exploit Detection

Recommended Posts

Posted (edited)

Was wondering why ESET scan usually doesn't detect documents with exploit. For example this file (scan shows clean with 17430):

https://www.virustotal.com/#/file/84a7c1eac6e1a130cb66126fa48258e9c7c8b60a2a5fd0fcd564305775757641/detection

The exec of this sample in a virtual machine successfully download the payload and exec it through the equation editor exploit, and ESET detects the payload post-execution as FareIt using AMS. But I feel like detecting it at early stages is better?

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

0xDEADBEEF likes this

Share this post


Link to post
Share on other sites
7 hours ago, 0xDEADBEEF said:

exec it through the equation editor exploit

This exploit was also patched a few months ago by Microsoft.

Share this post


Link to post
Share on other sites
2 hours ago, Peter Randziak said:

Hello @0xDEADBEEF

thank you for the report.

The detection for this samples has been already added.

It was not yet detected, when you posted this as it was not yet processed by the automated samples processing system.

In case you have an undetected samples or suspicious application, please send it to our research lab as described at https://support.eset.com/kb141/#SubmitFile 

Thank you, P.R.

thanks! originally I intended to ask if ESET has generic exploit detection like other vendors in VT as shown in that webpage. From the updated detection name, I can see what's happening

Share this post


Link to post
Share on other sites
Posted (edited)
33 minutes ago, itman said:

This exploit was also patched a few months ago by Microsoft.

yes... my test machine is still with old office 2007 :rolleyes: BTW this sample is spread through spam, so it is a "real-world" one

Edited by 0xDEADBEEF

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.