{
	"id": "df2eb197-07e1-4f07-b5ce-57bad6b51128",
	"created_at": "2026-04-06T00:17:50.377176Z",
	"updated_at": "2026-04-10T13:12:15.127619Z",
	"deleted_at": null,
	"sha1_hash": "bf5db655939a403b94789e46e6bd016af887ff19",
	"title": "FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444 to Its Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1071813,
	"plain_text": "FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444\r\nto Its Arsenal\r\nBy Trend Micro ( words)\r\nPublished: 2021-09-29 · Archived: 2026-04-05 22:08:41 UTC\r\nTrend Micro detected a new campaign using a recent version of the known FormBook malware, an infostealer that has been\r\naround since 2016. Several analyses have been written about FormBook in the last few years, including the expanded\r\nsupport for macOS. FormBook is famous for highly obfuscated payloads and the use of document CVE exploitation. Until\r\nrecently, FormBook mostly exploited CVE- 2017-0199open on a new tab, but newer FormBook variants used the recent\r\nOffice 365 zero-day vulnerability, CVE-2021-40444open on a new tab.\r\nExploit description\r\nFormBook authors did some rewrites on the original exploit, taking as their initial codebase the one that we and Microsoft\r\nobservedopen on a new tab as deploying Cobalt Strike beacons.  The exploited vulnerability is CVE-2021-40444. However,\r\nsince the vulnerability itself has been analyzed alreadyopen on a new tab, here we focus on describing some of the unique\r\nchanges made by FormBook.\r\nFormBook utilizes a different “Target” format inside “document.xml.rels.” Figure 1 shows the new format on the right side.\r\nThis is possible because the options “mhtml” and “!x-usc” are not required to exploit the vulnerability. The new format is\r\nintended to bypass detections using the mentioned “Target” options as indicators of exploitation.\r\nFigure 1. The “Target” URL format: The previous samples are on the left, while those used by FormBook are\r\non the right.\r\nEven when the URL is scrambled using directory traversal paths and empty options for Target (the consecutive “!:” are\r\nempty options), the vulnerability is exploited, and Word will send a request to the server as the network capture. This is\r\nshown by the selected packet in Figure 2.\r\nhttps://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html\r\nPage 1 of 5\n\nFigure 2. Network capture of a FormBook document sample\r\nOne of the changes introduced to the exploit by FormBook was an obfuscation mechanism. Figure 3 shows an obfuscated\r\nsection of the FormBook exploit.\r\nFigure 3. FormBook exploit obfuscation\r\nAs previously mentioned, FormBook creators did some rewrites on the original exploit, which was based on the code\r\ndisclosed by us and Microsoft. FormBook added two calls to a function implementing an anti-debugging behavior\r\ncommonly used to protect JavaScript code from being reverse-engineered. Figure 4 displays the mentioned function.\r\nFigure 4. FormBook exploit JavaScript anti debugging\r\nWhen the developer tools of a browser are open, the execution of the f() function will open a new virtual machine (VM)\r\nwindow that contains an anonymous function with a debugger statement. This will shift the focus from the source code\r\nwindow to the new VM window containing the anonymous function. Stepping through the JavaScript code will\r\ncontinuously execute the anonymous function. This prevents the debugging of the JavaScript code because stepping through\r\nthe JavaScript code executes the debugger statement in a loop.\r\nAttack chain description\r\nBased on our analysis, the campaign used an email with a malicious Word document attachment as the entry vector. In this\r\nattack, two layers of PowerShell scripts were used to deliver the known FormBook malware. This version of FormBook is\r\nthe same as previous versions; however, some specific changes were introduced in the attack chain. The final FormBook\r\nmalware delivered in this campaign matched the ones that were used in earlier campaigns and analyzed by other researchers.\r\nThat sample also corresponds to FormBook version 4.1, which we found after decrypting the command-and-control (C\u0026C)\r\nchannel information. This can be seen in Figure 5.\r\nhttps://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html\r\nPage 2 of 5\n\nFigure 5. FormBook decrypted beacon\r\nFor this specific campaign, the attack chain is depicted in Figure 6.\r\nFigure 6. Simplified attack chain diagram\r\nFigure 6 shows how FormBook implemented two PowerShell script stages. The first stage downloads the second one, which\r\nis stored as an attachment hosted on Discord. We have recently noticed an increase in the malicious use of files uploaded to\r\nthis service, with the intent of bypassing network protection.\r\nFigure 7 shows an example of the PowerShell script in the first stage:\r\nFigure 7. PowerShell stage one\r\nThe example in Figure 6 downloads the next stage from Discord (with the URL itself being obfuscated). The URL is in the\r\nfollowing format:\r\nhttps://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html\r\nPage 3 of 5\n\nhxxps://cdn[.]discordapp[.]com/attachments/889336010087989260/889336402121199686/avatar.jpg\r\nThe attachment from Discord is the second PowerShell layer formatted in Base64. This layer contains all required samples\r\nto run the FormBook malware.\r\nFigure 8 shows an example of the second PowerShell layer.\r\nFigure 8. PowerShell second stage.\r\nAs Figure 8 shows, the value of the variable “$decompressedByteArray” has the “.NET” injector, and the value of the\r\nvariable “$INICAYLA” has the FormBook malware itself. In this campaign, the method of injecting the malware into the\r\nCalculator process is different from previous analyses, but this is because the result of the obfuscation was applied over the\r\n“.NET” injector.\r\nThe samples of the FormBook malware we obtained are identical to previous incidents, so we do not discuss them here.\r\nConclusions\r\nOver the last couple of years, we have seen an increase in the use of public services to host malware. Nowadays, there are\r\ninfinite ways to establish a malware infrastructure simply by using public services. There are multiple benefits for the\r\nattackers when using public services:\r\nExtra service rentals and maintenance are not required.\r\nThe URLs look like normal URLs to any scanning device or software.\r\nIn some cases, it is possible to generate practically “random” URLs.\r\nThere is encrypted traffic (HTTPS) by default.\r\nAutomatic resources (such as samples and files) access protection.\r\nAt the same time, we have seen an increase in the quality of tools for the automatic generation of obfuscated samples\r\nimplemented in different and available malware as a service (MaaS).\r\nThe combination of those two factors makes the attacker very resilient to detection in the initial delivery days of reusing\r\npreviously discovered zero-day vulnerabilities, as in this case. This incident also highlights the importance of patching zero-day vulnerabilities urgently. Notably, Microsoft already released a fix for this vulnerability as part of the September 2021\r\nPatch Tuesday cycle.\r\nFor increased protection, Trend Micro Vision One™products spots suspicious behaviors that might seem insignificant when\r\nobserved from only a single layer. Meanwhile, Trend Micro Apex One™products protects endpoint devices through\r\nautomated threat detection and response against ransomware, fileless threats, and other advanced concerns. \r\nIndicators of Compromise\r\nFilename/Description Hash Trend Micro Dete\r\nExploit Html bb1e9ce455898d6b4d31b2219ff4a5ca9908f7ea0d8046acf846bf839bce1e56 Trojan.HTML.CV\r\npayload.cab a20abef4eecea05b3f3ab64e9f448159e683cf82f1e87a37372c1cacb976052c Trojan.Win32.CVE\r\navatar.ps1 6f11be4822381543eb9dd99a9354575c96a50a5720ee38ee1c1b2ad323a03f04 Trojan.PS1.POWL\r\nhttps://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html\r\nPage 4 of 5\n\npayload_TNICAYLA.exe_ f7c5f885f712adb553ee0de0d935869cc9c5627c01b15a614d748acb72b11c74 Trojan.Win32.FOR\r\ninjector_ncrypt_decompressedByteArray.exe_ eab5dc8f37459f2f329afa63b1f8e8569ad229dc88497ab86e7c6a91be4d9264 Trojan.Win32.CRY\r\nExploit chain IOCs:\r\nhxxp://0x6B[.]0254.0113.0244:8090/payload.cab\r\nhxxp://107[.]172.75.164:8090/microsoftonline.html\r\nhxxps://cdn[.]discordapp.com/attachments/889336010087989260/889336402121199686/avatar.jpg\r\nURLs\r\nhxxp://www.code-nana.com/pjje/?\r\nt8LP2P=Mf6ydddwV/QU6mZ4nnZxMBdzDcAr2xsvfTgD82WAzYYrxOcjLRrG5mXLygKxYmvGqlzJAQ==\u0026kPq8=K4Nh-6\r\nhxxp://www.rajuherbalandspicegarden.com/pjje/?\r\nt8LP2P=DltNRLklEPawWuNnsQXifEZmZKsLvkDXv3cKYhiC/0Bh3Q72JrrE/8woD25qq/vxSOxjNQ==\u0026kPq8=K4Nh-6\r\nhxxp://www.swaplenders.com/pjje/?\r\nt8LP2P=TQtLDRoafbQM4/pEtdovke1/MPx0w24gCyByZx68z3lV5KTK6L4nUj2UtH2v2BgU+KkBhg==\u0026kPq8=K4Nh-6\r\nhxxp://www.thechiropractor.vegas/pjje/?\r\nt8LP2P=rpNmzTsgN3WrlTJLsfA2BlL5A0hwTnOMjBBWuUAz4iRkWF3ty9m96ejMesY0+5JvVxns9g==\u0026kPq8=K4Nh-6\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html\r\nhttps://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html\r\nPage 5 of 5\n\nExploit Html payload.cab bb1e9ce455898d6b4d31b2219ff4a5ca9908f7ea0d8046acf846bf839bce1e56 a20abef4eecea05b3f3ab64e9f448159e683cf82f1e87a37372c1cacb976052c  Trojan.HTML.CV Trojan.Win32.CVE\navatar.ps1 6f11be4822381543eb9dd99a9354575c96a50a5720ee38ee1c1b2ad323a03f04  Trojan.PS1.POWL\n Page 4 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html"
	],
	"report_names": [
		"formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434670,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf5db655939a403b94789e46e6bd016af887ff19.pdf",
		"text": "https://archive.orkl.eu/bf5db655939a403b94789e46e6bd016af887ff19.txt",
		"img": "https://archive.orkl.eu/bf5db655939a403b94789e46e6bd016af887ff19.jpg"
	}
}