Skip to content

Outdated Excel and Word CVEs are still exploited in the wild

  • by
  • 3 min read

Threat actors in several countries, including India, still use old Microsoft Word and Excel vulnerabilities to distribute malware. More than 13,000 samples showcase old CVEs are being used in the wild.

Despite not being a 0-day, CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802 still pose a significant threat to the cybersecurity community.

File formats like docs, xlxs, and rtf are being used to lure victims into downloading the malware and target finance/banking, government and healthcare industries, per the findings of Cybersecurity researchers from Checkpoint.

The historical use of these CVEs is noteworthy, having spread notorious malware families such as Dridex in 2017 (CVE-2017-0199) and Guloader in 2021 (CVE-2017-11882). In 2023, the trend continues, with new additions to the list, including samples linked to:

  • Gamaredon APT: An infamous Russian state-sponsored hacking group.
  • Agent Tesla: Topping the most prevalent malware list in October 2022.
  • GuLoader: A prominent shellcode-based downloader used in various attacks.
  • Formbook: An infostealer malware with a history dating back to 2016.
A maldoc containing text relevant to its name. | Source: Checkpoint

This showcases that seasoned threat actors, rather than amateurs, continue to leverage old CVEs to spread sophisticated malware.

Maldoc operators employ creative lures to trick victims into opening malicious documents. Examples include deceptive filenames, empty documents, and explicit instructions to enable editing.

Despite the age of these exploitation methods, detecting maldocs at their earliest stages remains challenging for cybersecurity experts. The distribution stage for most maldocs is active within less than a week, maximising the impact of the subsequent malware. Researchers found that some samples evade detection quite easily even in modern systems.

Another concerning fact is that these maldocs target highly profitable and vital sectors such as banking, governments, and healthcare. The selection of countries, including the United States, Poland, Turkey, UK, Russia, Portugal, Taiwan, Italy, South Korea, Greece, Austria, Israel and India, appears strategic, with many countries being vastly technologically superior.

A warning message is displayed when a user clicks on the malicious URL in the documents. | Source: Checkpoint

To complicate analysis by researchers, maldoc operators employ various technical tricks:

  • Encryption: Malcocs encrypt Excel documents using MS Enhanced RSA and AES crypto-providers.
  • Peculiar URLs: Unusual URL formats, particularly in CVE-2017-0199, include authentication data in the request.
  • Shellcode with junk: Shellcodes are obfuscated with junk instructions and spaghetti jumps, making automated analysis complex.
  • Enormous oleObject: Maldocs with oversized oleObjects containing encrypted VBA macros challenge automated environments.
  • Obfuscated VBA macros: Some maldocs employ obfuscated VBA macros, requiring different analysis tools for detection.

To protect their systems, researchers have urged users to exercise caution while opening links from unexpected emails, especially if they are working in an important sector of the economy, and promptly consult an expert if something feels fishy.

In the News: Google officially renames Bard to Gemini

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: