top of page
  • Clipeus

Old Microsoft Office Vulnerability Exploited To Distribute Agent Tesla

ZScaler reports a campaign exploiting an old Microsoft Office memory corruption vulnerability (CVE-2017-11882, CVSS 7.8) in order to distribute the information stealer Agent Tesla.

The campaign initiates with a phishing email delivering Microsoft Excel attachments whose themes are consistent with invoices or order notices.

Interaction with the attachment is the only user interaction needed to trigger the vulnerability. The memory corruption enables the actors to force download additional attachments without further user interaction. Such artifacts include:

  • A malicious image file weaponized with a dynamic link library (DLL) embedded with steganography;

  • A visual basic script which, as the image downloads, executes Powershell to extract the malicious base64-encoded DLL from the image;

  • The DLL downloads the Agent Tesla payload and executes it via RegAsm.exe as an evasion mechanism.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page