The Equation Strikes Back – DIFAT overflow

As promised in our last tech blog, we are disclosing additional unique variants of the exploit of this Microsoft Equation vulnerability, which circumvents many security solutions and vendors attempting to protect your valuable data from infestation, including leading sandbox and anti-malware providers.

On this article we will show how another bug, in OLE32.dll, which incorrectly handles integer overflow, is then used to bypass security solutions and fool parsers.


Solebit Tech Blog P1

According to the format specifications, the OLE stream header contains a table called DIFAT that is an array of numbers. Each sector has an ID, which can be any 32 bit unsigned number under 0xFFFFFFA. The DIFAT table contains all the section id’s and some special numbers. To access the sector Nin the table, it’s offset computed using the following formula: sector_size * (sector ID + 1), when sector ID is DIFAT[N].

The relevant parts from the official spec is presented below [Pages 15-20]:

Solebit Tech Blog P6


Solebit Tech Blog P7


Solebit Tech Blog P2


Solebit Tech Blog P8

Solebit Tech Blog P9

It's seems that when a big sector ID exist, the formula mentioned above lead to Integer-overflow that will finally results in a relatively small offset.

The following screenshots the code snippets doing the overflow.

Solebit Tech Blog P3

Solebit Tech Blog P10

Section size is 512, and the first sector ID is 0xFF000000. Let’s apply the above formula (as in the official specification): (0xFF000000+1) * 512 = 2190433321472, or 0x1fe00000200in hex. 

It’s easy to notice that the result is more than 32 bits (integer overflow), so when the code above will perform the calculation, the only lowest 32 bits will be the product. Or in other words, the calculated offset will be 0x200 = 512, as can be seen in the following debug screenshot.

Solebit Tech Blog P4

This result make sense, because it points just after the header, which is the natural place for the first section.

This behavior is not documented by Microsoft, but it can confuse high-level parsers which will not notice the overflow, and the calculation results will point into impossible offset, which will lead to ignoring of the section that contains the exploit in the good case, or crash in the bad case.

In this case the dropped malware is a new variant of Java Jacksbot. The trojan is a remote access backdoor, that can only be active or infect you if you have Java installed. JACKSBOT is capable of taking complete control of the compromised system.

Malware code reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands as well as executing and ending programs. It can also steal information by logging keystrokes and mouse events.

General Capabilities:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from the webcam
  • record sound from the microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steals VPN certificates



IOC Type





Dropped hta



Dropped jar (1)



Dropped jar (2)



Dropped vbs



Malware Names

File Name











Malware installation path




C&C Dropper


AutoStart Path

Registry Key


Value: ntfsmgr

Data: "C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\ntfsmgr.jar"



In both samples, our analysis tools not affected by those tricks, as they based on finding forms of code within the data, without taking care of the wrapping objects.

Solebit Tech Blog P5

SoleGATE detects machine code (x86) in the file

SoleGATE malware detection capabilities is a signature-less patented solution, that can detect those types of malware without the need to sandbox or run any behavioral inspection, hence immune to sandbox evasion techniques.

Get Solebit’s whitepaper on a transformative, evasion-proof approach against modern cyber attacks that doesn’t require sandboxing. It will outline how to strengthen your cyber defenses dramatically by preventing attacks before they enter and harm your organization, your customers and your brand. Remediation is costly, prevention is not.

 Download Whitepaper Now


Recent Posts