Infostealer Malware FormBook Spread via Phishing Campaign – Part I
Essential information
- Published
- 22/04/2025 15:57
- Modified
- 22/04/2025 22:20
- Tags
- 2025-04-22 CVE-2017-11882 fileless malware formbook infostealer microsoft equation editor phishing process-hollowing
- Related entities
- 1 vulnerabilities (cve), 7 observables, 6 techniques (mitre), 1 malware
Description
A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downloader and installer for FormBook, establishing persistence and downloading an encrypted payload disguised as a PNG file. The payload is decrypted and injected into a legitimate process using process hollowing techniques. This fileless variant of FormBook aims to evade detection by keeping the malware entirely in memory. The analysis covers the initial phishing email, exploitation process, payload download and decryption, and the sophisticated injection techniques used to deploy FormBook.