{
	"id": "5038ec87-31ac-444a-a0f0-26a9450afdab",
	"created_at": "2026-04-06T00:07:02.173491Z",
	"updated_at": "2026-04-10T03:21:41.727076Z",
	"deleted_at": null,
	"sha1_hash": "653654829df7f9b1e1c4009f4948e9bb8370ac2d",
	"title": "FormBook Malware Technical Analysis - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3913433,
	"plain_text": "FormBook Malware Technical Analysis - CYFIRMA\r\nArchived: 2026-04-05 15:57:38 UTC\r\nPublished On : 2021-11-17\r\nOverview\r\nRisk Score: 8\r\nConfidence Level: High\r\nSuspected Malware: FormBook Malware/Trojan\r\nFunction: Information Stealing, Credential Harvesting and download/drops stealthier malware\r\nTactic Used: Process Injection/Process Hollowing\r\nThreat actor Associations: ng-Code\r\nOther Malware related to FormBook: XLoader\r\nFirst Seen: July 2016\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 1 of 15\n\nLatest Seen: Nov 2021\r\nTarget Industry: Multiple\r\nTarget Countries: Multiple/Global Effect but predominately the US\r\nRelevancy: Global Effect and used the latest zero-day vulnerability of Office-365 in 2021.\r\nBrief Introduction: FormBook Malware is quite popular among attackers. It is basically an information\r\nstealer/trojan and is available in darkweb market as a Malware-as-Service. It is first seen in July 2016 and has\r\nbeen quite active since then. In 2020 it affected 4% of organizations worldwide and was among the top 3 list of\r\ntrending malware. It logs and monitors keystrokes, searches and accesses files, takes screenshots, harvests\r\ncredentials from different browsers, drops files, downloads, and executed stealthier malware as per commands\r\nreceived from Command-and-Control-Server (C2).\r\nXLoader appears in 2020, consider as the successor of FormBook having similarities on the base of code and also\r\nadvertise for sale in the same dark-web forums where FormBook was earlier sold. XLoader also has the capability\r\nto compromise macOS.\r\nFormBook is mainly distributed using email campaigns, various infecting mechanisms and different types of file\r\nattachments including pdfs, doc, RTF document, exe, zip, rar etc. It takes advantage of various vulnerabilities like\r\nCVE-2012-0158 (Microsoft Windows Common Controls ActiveX Control Arbitrary Code Execution\r\nVulnerability), CVE-2017-01182 (Microsoft Office Memory Corruption Vulnerability), CVE-2017-0199\r\n(Microsoft Office/WordPad Remote Code Execution Vulnerability), and recently used an Office-365 zero-day\r\nvulnerability CVE-2021-40444 (Microsoft MSHTML Remote Code Execution Vulnerability).\r\nFile Details: As shown in Figure1, the following are the details related to the malware “FormBook”\r\nFile Type: Windows PE-32 Executable\r\nMD5: c504f8e950801fd90e45b01023c29702\r\nSHA256: be24cc41a8c8b2c292743055cccd8a9ca25eddcaa26aa984a63a6dff70ddae55\r\nSubsystem: GUI\r\nCompilation Time: April 2016\r\nFigure 1\r\nFigure1 above shows that FormBook Malware is a Windows PE-32 Executable and has the signature of Nullsoft\r\nInstaller. The file has different parts, one PE executable along with an embedded XML document and two lzma\r\ncompressed files.\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 2 of 15\n\nFigure2 and Figure 3 show the different hash values corresponding to our malware file. Figure 2 also other basic\r\ninformation like it has GUI subsystem and compilation time of April 2016.\r\nFigure2\r\nFigure3\r\nFigure4\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 3 of 15\n\nFigure5\r\nFigure4 above shows that the malware has an NSIS installer, and it is present in the overlay part. We further\r\nexamine and extract it. Figure5 shows the entropy curve corresponding to the malware. It mentioned it as not\r\npacked but the curve at the end is somewhat flat with high entropy provides us an indication of the presence of\r\nsome packed code inside the executable file.\r\nFigure6\r\nWhen we check, the malicious file in different anti-virus engines then it is detected as primarily a\r\ntrojan/spyware/information stealer which is the main function of the FormBook malware.\r\nFigure7\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 4 of 15\n\nFigure7 above shows us different sections present in the FormBook. All are quite normal except .ndata which is\r\ntotally a virtualized section means only available in memory.\r\nFigure8\r\nFigure8 above shows different libraries imported by the FormBook. All are important and provide us an indication\r\nof the functionality the malware incorporates. It includes memory, low-level functioning, user interface, graphical\r\nmanipulation, registry access and manipulation capabilities. Shell32.dll and Ole32.dll are quite important here as\r\nole32.dll is used for handling ole objects and is required for embedding ole objects of different applications to\r\nanother application like excel-sheet embedded into a word document whereas shell32.dll is used to open\r\nwebpages and files. \r\nFigure9\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 5 of 15\n\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 6 of 15\n\nFigure9 above shows the various APIs/Functions corresponding to the above-mentioned libraries in Figure8 and\r\nprovides us important information that the FormBook malware has the following capabilities:\r\n1. Anti-Debugging Capability.\r\n2. Capability to collect system information.\r\n3. Capability to handle windows/GUI functions.\r\n4. Ability to create new threads, processes, and their manipulation.\r\n5. Synchronization capability to handle multiple processes and threads and to access shared resources.\r\n6. Have the capability to access native APIs to perform low-level functions like handling/manipulation of\r\nhardware, memory, and processes directly.\r\n7. Ability to access and manipulate registry entries.\r\n8. Capability to load other DLLs, libraries, and processes in memory.\r\n9. Ability to handle, search, open, close, write, access and manipulating files.\r\n10. Capability to search Drives, Folders.\r\nFigure10\r\nFigure10 above shows the XML code present as manifest in the file. It contains meta-data corresponding to\r\ndifferent files that are part of the same group or package. The privileges are used as “asInvoker” which means\r\nadopting any privilege assigned to the user. This further demonstrates the dependency on NullSoft NSIS and its\r\nversion number. NSIS is a free framework used to bundle many elements of an application together including\r\nDLL or executable, and an NSIS script is also bundled along with the application/file/malware to control how all\r\ncan be extracted and executed.\r\nFigure 11 below also shows the overlay part present in the file. It also has the Nullsoft signature. FormBook most\r\nlikely used it to bypass anti-viruses and load or extract the code/files present in the overlay section which are\r\npacked by using Nullsoft installer.\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 7 of 15\n\nFigure11\r\nWe further extracted the hidden files present in our malicious executable as shown in Figure12 which are dropped\r\nby the file when it gets executed and used accordingly. There are three more files present in our malicious\r\nexecutable, one is the DLL “jnjvrzet.dll” which is present in the folder named $PLUGINSDIR and the second is\r\nthe .nsi file which is the NSIS script to control that how to extract and use these files as mentioned above. The\r\nthird file is “6ce1nlzjaolgh5df” which is in lzma compressed and encrypted also and most probably is an\r\nexecutable or DLL and the main payload.\r\nFigure12\r\nFigure13 and Figure14 show hexdump corresponding to the file DLL “jnjvrzet.dll” and “6ce1nlzjaolgh5df”.\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 8 of 15\n\nFigure13\r\nFigure14\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 9 of 15\n\nFigure15\r\nFigure16\r\nFigure15 and Figure16 show the snippets of .nsi script corresponding to Nullsoft Installer to control the process of\r\nextracting these embedded files and how to use them for further exploitation. It accesses various folders, creating\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 10 of 15\n\nfiles, copying, and doing initialization, etc.\r\nWe further checked the extracted .DLL file “jnjvrzet.dll” as shown below in Figure17. It is Windows 32-bit DLL.\r\nWe checked it through different anti-virus engines and found it to be malicious and they categorized it as mainly\r\ntrojan as shown in Figure 18.\r\nFigure17\r\nFigure18\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 11 of 15\n\nFigure19\r\nThe imported libraries corresponding to the extracted DLL are shown in Figure19 above. The presence of\r\nws2_32.dll and wsnmp32.dll indicates that our extracted DLL is responsible for handling and managing network\r\nconnections. Setupapi.dll is also quite important as it is used for setting up and installing the applications means\r\nthe extracted DLL also helps in installing or setting up other malicious files for execution and most probably the\r\nmain payload.\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 12 of 15\n\nFigure20\r\nFigure20 above shows the imported APIs/Functions by our extracted DLL. The DLL also has the following\r\ncapabilities in-addition to the capabilities we mention for our malicious executable:\r\n1. Capability to deactivate/sleep to hide its functionality or capability to wait for any trigger to continue\r\n2. Capability to manage network connections\r\n3. File handling, searching and manipulation capability\r\n4. Capability to handle Critical Sections/locks to handle shared resources\r\n5. Capability to access Thread local storage area and handling of multiple threads\r\n6. Several anonymous functions and their validity or usage are not yet confirmed\r\n7. Ant-debugging capability\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 13 of 15\n\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 14 of 15\n\nFigure21\r\nFigure21 mentioned above shows the processes spawned by the malicious executable when it runs. It starts and\r\ncreates various processes and threads, loads various system libraries, and accesses many registry entries.\r\nList of IOCs\r\nMitre Attack Tactics and Techniques\r\nSource: https://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nhttps://www.cyfirma.com/outofband/formbook-malware-technical-analysis/\r\nPage 15 of 15\n\nexecutable or Figure12 DLL and the main payload.   \nFigure13 and Figure14 show hexdump corresponding to the file DLL “jnjvrzet.dll” and “6ce1nlzjaolgh5df”.\n   Page 8 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cyfirma.com/outofband/formbook-malware-technical-analysis/"
	],
	"report_names": [
		"formbook-malware-technical-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/653654829df7f9b1e1c4009f4948e9bb8370ac2d.pdf",
		"text": "https://archive.orkl.eu/653654829df7f9b1e1c4009f4948e9bb8370ac2d.txt",
		"img": "https://archive.orkl.eu/653654829df7f9b1e1c4009f4948e9bb8370ac2d.jpg"
	}
}