216.73.216.169

How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

· Published 05/06/2025 22:36 · Modified 08/06/2025 16:35

Export JSON

Essential information

Published
05/06/2025 22:36
Modified
08/06/2025 16:35
Tags
2025-06-05 CVE-2017-0199 autoit formbook hta information stealer phishing
Related entities
1 vulnerabilities (cve), 8 observables, 9 techniques (mitre), 1 malware

Description

A high-severity campaign targeting old version Office Application users exploits vulnerability to deliver malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicious file. This file then downloads and runs 'sihost.exe', which extracts and decodes 'springmaker', ultimately revealing the payload. The malware aims to capture sensitive data, including login credentials, keystrokes, and clipboard information. Despite being an 8-year-old vulnerability with available patches, organizations remain vulnerable due to challenges in vulnerability management and remediation. The attack process involves multiple stages of encryption and anti-debugging techniques to evade detection.

External references