The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians. The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts. The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-17-11882 to drop and execute the backdoor binary. The weaponized document exploits the vulnerabilities to download a second-stage payload that triggers the vulnerability to drop the final backdoor.”]
Source: https://securityaffairs.co/wordpress/74896/malware/felixroot-backdoor-fresh-campaign.html