Hi, Regularly we receive DOC files which contains virus. These virus is not detected by ClamAV, but Kaspersky catches it as "HEUR:Exploit.RTF.CVE-2018-0802.gen". When I check the file using rtfobj, it give the following output.
#rtfobj Balance\ Sheet\ .doc rtfobj 0.54 on Python 2.7.5 - http://decalage.info/python/oletools THIS IS WORK IN PROGRESS - Check updates regularly! Please report any issue at https://github.com/decalage2/oletools/issues ============================================================================ === File: 'Balance Sheet .doc' - size: 2218409 bytes ---+----------+------------------------------------------------------------- -- id |index |OLE Object ---+----------+------------------------------------------------------------- -- 0 |00000DEAh |format_id: 2 (Embedded) | |class name: 'Package' | |data size: 15993 | |OLE Package object: | |Filename: u'Client.vbs' | |Source path: u'C:\\fakepath\\Client.vbs' | |Temp path = u'C:\\fakepath\\Client.vbs' | |MD5 = '3eea151cada1cf5592942ec92be044f0' | |EXECUTABLE FILE ---+----------+------------------------------------------------------------- -- 1 |00031BD0h |format_id: 2 (Embedded) | |class name: 'Equation.3' | |data size: 3072 | |MD5 = '5527f9576bc4e9aa92c5646d41720008' | |CLSID: 20E02C00-0000-0000-0C00-000000000004 | |unknown CLSID (please report at | |https://github.com/decalage2/oletools/issues) | |Possibly an exploit for the Equation Editor vulnerability | |(VU#421280, CVE-2017-11882) ---+----------+------------------------------------------------------------- -- How can we write customized rules to detect these doc file. Thanks Chaminda Indrajith
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
