216.73.217.80

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

· Published 22/04/2025 15:57 · Modified 22/04/2025 22:20

Export JSON

Essential information

Published
22/04/2025 15:57
Modified
22/04/2025 22:20
Tags
2025-04-22 CVE-2017-11882 fileless malware formbook infostealer microsoft equation editor phishing process-hollowing
Related entities
1 vulnerabilities (cve), 7 observables, 6 techniques (mitre), 1 malware

Description

A campaign delivering a malicious Word document exploiting was observed spreading a new variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downloader and installer for , establishing persistence and downloading an encrypted payload disguised as a PNG file. The payload is decrypted and injected into a legitimate process using process hollowing techniques. This fileless variant of aims to evade detection by keeping the malware entirely in memory. The analysis covers the initial email, exploitation process, payload download and decryption, and the sophisticated injection techniques used to deploy .

External references