EXPL_MAL_MalDoc_TemplateInjection_Jun22

Rule Info

Name
EXPL_MAL_MalDoc_TemplateInjection_Jun22
Author
Florian Roth, Christian Burkard
Description
Detects Office documents that look as if they were exploiting the Template Injection vulnerability and use an IP address to download and force open the second stage
Score
85
Reference
https://attack.mitre.org/techniques/T1221/
Date
2022-06-03
Minimum Yara
2.2.0
Rule Hash
f2306502540bcdc0ef34d9dbea753b9b
Tags
['MAL', 'T1566_001', 'T1221', 'T1203', 'OFFICE', 'EXPLOIT']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/expl_mal_maldoc_templateinjection_jun22/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
1
Suspicious (< 10 engines)
1
Clean (0 engines)
0

Rule Matches

Timestamp
Positives
Total
Hash
VT
2022-09-08 11:12:26
25
64
14208d9dec0f75a0092f164c510729291c610ceec57169838093133023cc83df
2022-06-05 05:08:08
3
59
253fe2c0c721a5d539f0e3ffbcfb0bfab11ed1d984750eff72a8595f2cd0e079

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022