By Xiaopeng Zhang | April 22, 2025
Fortinet’s FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. This document contained crafted data designed to exploit the vulnerability CVE-2017-11882. After conducting an in-depth analysis, I discovered that the campaign was spreading a new variant of Formbook.
Formbook is information-stealing malware targeting Windows users. It steals sensitive data from compromised systems, including stored credentials from popular software, the victim’s keystrokes, screenshots, and system clipboard data.
I will present my research into this malware in a series of analysis blogs. This first one provides insights into how the phishing email tricks the recipient into opening the attached Word document, how it exploits the vulnerability CVE-2017-11882 with crafted equation data, how it downloads and decrypts the fileless FormBook executable, and how it ultimately executes the FormBook malware in a selected target process via process hollowing.
