Executive Summary
In November 2025, security researchers identified a novel malware delivery technique leveraging Microsoft Office documents mimicking Russian Matryoshka dolls. Attackers embedded a weaponized RTF file exploiting CVE-2017-11882 inside an OOXML Word document, circumventing Microsoft's restrictions on automatic macro execution. Upon opening, the document triggers shellcode that writes a malicious DLL to the user's local Temp directory, which is then executed using an obfuscated command to evade detection. The attack demonstrates advanced evasion tactics, potentially linked to info-stealers such as FormBook, complicating detection and response efforts for organizations relying on traditional file-type controls.
This incident highlights the ongoing relevance of document-based exploitation despite reduced macro attacks, as threat actors adopt creative nesting techniques. Security teams must adapt to evolving delivery mechanisms that circumvent recent platform protections, making layered defenses and behavioral detection increasingly essential.
Why This Matters Now
Cyber criminals continue to innovate around security controls, exploiting legacy vulnerabilities via new document embedding methods. As techniques like OOXML-nested RTFs evade filters, organizations face urgent pressure to update detection and prevention strategies before attackers shift methods again.
Attack Path Analysis
The attack began when a victim opened a malicious Microsoft Office document containing an embedded RTF file leveraging CVE-2017-11882 for code execution. Upon successful exploitation, a DLL payload was dropped and executed for further access, potentially escalating privileges. The malicious DLL could allow for internal reconnaissance and lateral movement within the victim's environment. The malware established command and control through outbound connections, likely using obfuscated or encrypted channels to evade detection. Stolen data or credentials might then be exfiltrated to external adversary infrastructure. Ultimately, the attack could result in information theft, persistence, or further malware deployment.
Kill Chain Progression
Initial Compromise
Description
Victim receives and opens a crafted Office document with an embedded malicious RTF file exploiting CVE-2017-11882, leading to remote code execution.
Related CVEs
CVE-2017-11882
CVSS 7.8A memory corruption vulnerability in Microsoft Office's Equation Editor allows remote code execution via specially crafted documents.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Exploitation for Client Execution
Masquerading
Command and Scripting Interpreter: Windows Command Shell
Signed Binary Proxy Execution: Rundll32
Obfuscated Files or Information
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software (Malware) Detection and Prevention
Control ID: 5.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Malicious Content Filtering and Execution Restriction
Control ID: Identity: Device Security 04
NIS2 Directive – Technical and Organizational Measures for Information Security
Control ID: Art. 21(2)(a)-(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Microsoft Office Russian Doll malware exploits CVE-2017-11882 targeting financial institutions through weaponized RTF documents, compromising encrypted traffic and egress security controls.
Government Administration
Sophisticated malware distribution using nested Office documents threatens government systems, requiring enhanced threat detection capabilities and zero trust segmentation for compliance frameworks.
Health Care / Life Sciences
RTF exploit targeting Equation Editor poses critical risk to healthcare data integrity, demanding strengthened east-west traffic security and HIPAA compliance measures.
Information Technology/IT
Multi-layered Office malware attack demonstrates advanced evasion techniques affecting IT infrastructure, necessitating improved anomaly detection and multicloud visibility controls for protection.
Sources
- Microsoft Office Russian Dolls, (Fri, Nov 14th)https://isc.sans.edu/diary/rss/32484Verified
- CVE-2017-11882 Vulnerability: Analysis, Impact, Mitigation | Huntresshttps://www.huntress.com/threat-library/vulnerabilities/cve-2017-11882Verified
- CVE-2017-11882 - Microsoft Office Memory Corruption Vulnerability | VulnWirehttps://www.vulnwire.com/vulnerability/CVE-2017-11882Verified
- CVE-2017-11882 is still being exploited | Kaspersky official bloghttps://usa.kaspersky.com/blog/cve-2017-11882-exploitation-on-the-rise/28757/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Cloud Network Security Framework controls—such as zero trust segmentation, egress policy enforcement, inline IPS, and threat detection—would have constrained initial exploit delivery, blocked lateral movement and C2, and enabled rapid detection of anomalous or malicious behaviors. Workload segmentation and observability would further limit malware spread and data loss.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious document-based exploits and process behaviors are rapidly detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation via DLL or unauthorized persistence is constrained to minimum access zones.
Control: East-West Traffic Security
Mitigation: Suspicious lateral scans and internal traffic are intercepted or denied.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious or unauthorized outbound C2 traffic is blocked or flagged.
Control: Cloud Firewall (ACF)
Mitigation: Malicious data exfiltration to untrusted destinations is stopped.
Automated enforcement and distributed policy reduce the blast radius and deny persistent threats.
Impact at a Glance
Affected Business Functions
- Document Processing
- Email Communications
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive documents and emails due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and lateral movement across all workloads and user identities.
- • Enforce robust egress filtering and outbound policy controls to prevent C2 and data exfiltration from any workload or user session.
- • Deploy inline threat detection and anomaly response to rapidly identify malicious Office document exploits and abnormal behaviors.
- • Enable comprehensive east-west traffic visibility and microsegmentation across cloud and hybrid environments to contain post-compromise threats.
- • Regularly update exploit signatures and conduct tabletop exercises to validate detection and containment playbooks against document-based malware attacks.
