{
	"id": "e0c9e207-5cef-454c-94e2-372746c98165",
	"created_at": "2026-04-06T00:09:50.799534Z",
	"updated_at": "2026-04-10T03:22:13.623036Z",
	"deleted_at": null,
	"sha1_hash": "09978f7a5fd08450f1c83ac8b36a1cd43fe68c0d",
	"title": "Cracking Formbook malware: Blind deobfuscation and quick response techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94108,
	"plain_text": "Cracking Formbook malware: Blind deobfuscation and quick\r\nresponse techniques\r\nBy Pierre-Henri PEZIER\r\nPublished: 2024-11-13 · Archived: 2026-04-05 22:27:13 UTC\r\nThreat analysts have to respond quickly to an attack. When dealing with well‐obfuscated code, shortcuts\r\nsometimes have to be taken to expedite the analysis and detection process. A malware identified by our TEHTRIS\r\nThreat Intelligence team (CTI) as Formbook stealer was writing some scrambled files on the victim’s side which\r\nwill illustrate how analyst could perform a known plaintext attack on an obfuscated file.\r\nFirst, what is formbook ? FormBook is a widespread information‐stealing malware known for targeting Windows\r\nsystems. It primarily focuses on stealing login credentials, keystrokes, and other sensitive data, often delivered\r\nthrough phishing emails or malicious attachments. FormBook is easy to acquire as malware‐as‐a‐service (MaaS)\r\non underground forums, making it a popular choice for cybercriminals.\r\nWhen running the FormBook malware (SHA‐256:\r\ne5aebbb2c6ad445d5a2ee5c33a77d8ecfe74cf206433b723736e2e88b in our sandboxes, one file dropped by the\r\nmalware (T1588.001) immediately catches our attention:\r\nfig.1: Dropped file as seen in the sandbox\r\nThis file was heavily obfuscated and completely invisible in the source file. Upon inspecting it, we observed\r\nnotably low entropy, which was an immediate indicator of something not encrypted. Additionally, a familiar\r\npattern emerged, resembling structures commonly seen in a PE (Portable Executable) file. We suspect that the file\r\nis obfuscated using a static key, without the use of any diffusion mechanisms, making it easier to detect certain\r\npatterns despite the obfuscation.\r\nThe patterns, resembling the MZ header, PE header, and padding, appear to align with typical structures, as shown\r\nin the figure below.\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 1 of 9\n\nfig.2: Comparison with “kernel32.dll”\r\nWe can now attempt to guess the key. By XORing the first two bytes of the obfuscated file with the known\r\nplaintext (signature of the “MZ” header), we can retrieve the first two bytes of the key. If the input buffer is zero,\r\nthe key will appear in plain text. By searching for this pattern in large areas of zero bytes within the input, we can\r\ndetermine both the key content and its length (orange).\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 2 of 9\n\nfig.3: Key guessing\r\nA simple Python script can be used to deobfuscate this type of obfuscated file by applying the retrieved key to\r\nreverse the XOR encryption.\r\nimport sys\r\nimport pathlib\r\nimport array\r\ndef xor_decrypt(encrypted_file: pathlib.Path,\r\ndecrypted_file: pathlib.Path,\r\nkey: bytes) -\u003e None:\r\nkey = array.array(\"B\", key)\r\nwith encrypted_file.open(\"rb\") as enc_fd, decrypted_file.open(\"wb\") as dec_fd:\r\nwhile chunk := enc_fd.read(len(key)):\r\nchunk = array.array(\"B\", chunk)\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 3 of 9\n\nfor i in range(len(chunk)):\r\nchunk[i] ^= key[i]\r\ndec_fd.write(chunk.tobytes())\r\nif __name__ == \"__main__\":\r\n infile = pathlib.Path(sys.argv[1])\r\n outfile = pathlib.Path(sys.argv[1] + \".exe\")\r\n xor_decrypt(infile, outfile, b\"LT0IPQD1IL\")\r\n print(outfile)\r\nThe deobfuscated dropped file was generated using Hasherezade. As a result, this file is already detectable by our\r\nsandbox.\r\nfig.4: Sandbox detection\r\nTo detect this particular type of obfuscated payload, we will apply basic mathematical checks to identify if the\r\nknown plaintext pattern can be found. First, we will attempt to guess the first two bytes of the key and estimate a\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 4 of 9\n\nmultiple of the key length, which should be determined quickly due to the abundance of null bytes in the PE\r\nheader. Finally, we will compare two offsets that should contain null bytes in the original file (0x3FD and 0x3A0),\r\naligned with the multiple of the guessed key length, with the first two bytes of the clear text key to confirm the\r\nkey’s validity.\r\nThe following YARA rule implements these calculations:\r\nrule formbook_obfuscated_payload {\r\n meta:\r\n author = \"PEZIER Pierre-Henri. Copyright TEHTRIS 2024\"\r\n condition:\r\n filesize \u003e 100KB and\r\n int8(0) != 0x4D and // Regular PE is encrypted\r\n for any i in (2..0x30) : ( // Look at the PE header on\r\n int8(0) ^ 0x4D == int8(i) and int8(1) ^ 0x5A == int8(i + 1) // Guess it matches the nex\r\n and ( // i is a modulo of the key\r\n ( // Zero byte known plaintex\r\n int8(0x3FD - 0x3FD % i) == int8(0) ^ 0x4D\r\n and int8(0x3FD - 0x3FD % i + 1) == int8(1) ^ 0x5A\r\n )\r\n and ( // Test another offset\r\n int8(0x3A0 - 0x3A0 % i) == int8(0) ^ 0x4D\r\n and int8(0x3A0 - 0x3A0 % i + 1) == int8(1) ^ 0x5A\r\n )\r\n )\r\n )\r\n}\r\nThe analysis employs various techniques to expedite the process, allowing us to be more responsive to our\r\ncustomers. This quick “live my life” offers a brief preview of our work, which is often overlooked but crucial for\r\nmaintaining security.\r\nIOCs (indicators of compromise)\r\nThe following SHA‐256 hashes correspond to similar samples:\r\n08ceff2aa4f92b26b10f1accbc1d41cb2729e3beb2f558ce0fe060f77243a86c\r\n0e9622e96afd3166996349ccd288105bb5c2c9c287c979ab2f0baa3b0b461929\r\n10882b3477b6a32049e6f67e67885927ddcc28750884e0b02df5f228bc10f905\r\n44162eee61f7d49a55fe0f815d0bc996cd728d96307b5bc6277fe430941ad068\r\n47155987c94e0b921887ed3aa2278fb857781238c518fbea52224728b88b0436\r\n492cf9ce5a8baf6b424bf890106ba96ae824bc8ba93c4dd2da25cbf37a685c90\r\n59c25af850a539e0863d6018774ac029419d1581ca8a034b1c4ce9239bd8084b\r\n5e74f08923fec3a5daf99b9a6c0763b21a98226f90c537235408a4258389ca01\r\n6cc54bd57057a1fc07c2726c351a42f47caef4ae05a2693fbf6b9f693c6761c6\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 5 of 9\n\n7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4\r\n998328ecd3a13fd3287f88e37119064b3a4094d2e935786a5327d47e4ed4466b\r\nb3c5c896606eb408bd97f255b916cda8cf8aa4291c3f68c5108c9ff0f5b7c0b7\r\nb9906d121c2b4a44b38c657e3f051be5dd55fca2d8f3e51150cafad9afd77d03\r\nc16321285091a58a2a0e63e4d445a71d6b9a60f27a6741c0a590a4bc5290d368\r\nd9c7fa0a03560078e3eb0a61d42cafd68ee7c90da0ca06ca83bc05bab596f7c6\r\ne5aebbb2c6ad445d5a2ee5c33a77d8ecfe74cf206433b723736e2e88b9b5d78f\r\ne63b97535e194d90756cc01a322550d4fa41a76117799a798ea0a78c6dd940bd\r\ne88d0ce2a1ef65103221e16ad5a3d31c74799fa7b75dc6ccea1c2a7c8ba5a857\r\nf3f0ac7ba7b93d8571adfa54987fb7374451f863b44946202bc623a528fc5b5f\r\nPost navigation\r\nTo explore the subject\r\nSimilar publications\r\nCERTCTIMalwareRansomwareVulnerability\r\nThreat Intelligence report – September 2025\r\nLefebvre Fabien (CTI) Vincent Fournier (CTI) WhatsApp zero-click exploits, phishing in India, and the rise of...\r\nRead more\r\nSeptember 4, 2025\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 6 of 9\n\nCERTCTIMalwareRansomware\r\nThreat Intelligence report – 05/08\r\nLefebvre Fabien (CTI) Antoine Mevel (CTI) Abstract This report highlights recent cyber threats including a\r\nstealthy... Read more\r\nAugust 6, 2025\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 7 of 9\n\nCTIMalwareNewsRansomwareVulnerability\r\nSecurity Watch: Critical software flaws and ransomware surge\r\nLefebvre Fabien (CTI) Overview of current threats facing businesses in July 2025 This report outlines two... Read\r\nmore\r\nJuly 23, 2025\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 8 of 9\n\nSource: https://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nhttps://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tehtris.com/en/blog/cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques/"
	],
	"report_names": [
		"cracking-formbook-malware-blind-deobfuscation-and-quick-response-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09978f7a5fd08450f1c83ac8b36a1cd43fe68c0d.pdf",
		"text": "https://archive.orkl.eu/09978f7a5fd08450f1c83ac8b36a1cd43fe68c0d.txt",
		"img": "https://archive.orkl.eu/09978f7a5fd08450f1c83ac8b36a1cd43fe68c0d.jpg"
	}
}