{
	"id": "631089a2-d280-4d2a-be27-46488a274d1c",
	"created_at": "2026-04-06T00:11:53.744574Z",
	"updated_at": "2026-04-10T03:22:50.138382Z",
	"deleted_at": null,
	"sha1_hash": "dc22dd805087095aa47e0467a57176699022a48a",
	"title": "Infostealer Malware FormBook Spread via Phishing Campaign – Part I | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8429762,
	"plain_text": "Infostealer Malware FormBook Spread via Phishing Campaign –\r\nPart I | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2025-04-22 · Archived: 2026-04-05 21:31:01 UTC\r\nFortinet’s FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as\r\nan attachment. This document contained crafted data designed to exploit the vulnerability CVE-2017-11882. After\r\nconducting an in-depth analysis, I discovered that the campaign was spreading a new variant of Formbook.\r\nFormbook is information-stealing malware targeting Windows users. It steals sensitive data from compromised\r\nsystems, including stored credentials from popular software, the victim’s keystrokes, screenshots, and system\r\nclipboard data.\r\nI will present my research into this malware in a series of analysis blogs. This first one provides insights into how\r\nthe phishing email tricks the recipient into opening the attached Word document, how it exploits the vulnerability\r\nCVE-2017-11882 with crafted equation data, how it downloads and decrypts the fileless FormBook executable,\r\nand how it ultimately executes the FormBook malware in a selected target process via process hollowing.\r\nPhishing Email Initialization\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 1 of 14\n\nFigure 1: Example of the phishing email\r\nThe phishing campaign starts with an email disguised as a sales order urging the recipient to open the attached\r\nWord document. As shown in Figure 1, FortiMail has flagged the email as “[virus detected]” in the Subject line to\r\nwarn the recipient.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 2 of 14\n\nFigure 2: Inner view of the Word document\r\nThe attached Word document, order0087.docx, is saved in OOXML (Office Open XML) format and compressed\r\nas a ZIP archive. Figure 2 reveals the relevant files and file contents inside the Word document.\r\nWhen the recipient opens the Word document, the “\u003cw:altChunk\u003e” node within document.xml is parsed,\r\nautomatically loading an external file, “Algeria.rtf,” as shown in Figure 2.\r\nExploiting CVE-2017-11882\r\nThe RTF file (“Algeria.rtf”) is obfuscated with a large amount of junk data. After de-obfuscating the RTF file, two\r\nembedded binary objects (leading by “\\objdata” tag) can be found within it.\r\nThe first binary object is a package containing a 64-bit DLL file, as shown in Figure 3. The DLL file, named\r\n“AdobeID.pdf,” is extracted to the system %temp% folder when the RTF is opened in Microsoft Word.\r\nFigure 3: A 64-bit DLL file contained in the RTF file\r\nThe second binary object is in OLE format and contains crafted equation data intended for Microsoft Equation\r\nEditor 3.0. When Word parses the RTF file, this exploits the CVE-2017-11882 vulnerability.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 3 of 14\n\nCVE-2017-11882 is a known remote code execution (RCE) vulnerability in Microsoft Equation Editor\r\n(EQNEDT32.EXE).\r\nFigure 4: The extracted equation data from the RTF file\r\nParsing the crafted equation data in EQNEDT32.EXE causes a buffer overflow, and the return address of the\r\nvulnerable function is overwritten with 0x430C12, as seen in Figure 4.\r\nThe instruction at 0x430C12 is “call  ds:WinExec(),” which is called after the buffer overflow occurs and the\r\nvulnerable function returns to this address. Figure 5 shows a screenshot of EQNEDT32.exe calling this API at\r\n0x430C12.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 4 of 14\n\nFigure 5: WinExec() API about to be called\r\nThe command-line parameter to WinExec() API is “CmD.exe /C rundll32 %tmp%\\AdobeID.pdf,IEX  A”. This\r\ncommand is copied by the vulnerable function from the crafted equation data, as shown in Figure 4. As a result,\r\nthe extracted 64-bit DLL file, AdobeID.pdf, is executed by rundll32.exe.\r\nDissecting the Extracted 64-bit Dll File\r\nBased on my analysis, the 64-bit DLL acts as a downloader and installer for Formbook. Let’s examine how it\r\nworks.\r\nPersistence Mechanism\r\nIt adds a key into “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run,” with the following settings:\r\nKey name: “RtkAudUService”\r\nKey value: “C:\\Windows\\System32\\rundll32.exe C:\\Users\\win-10\\AppData\\Roaming\\Templates\\AdobeID.pdf,\r\nIEX”\r\nThis ensures the malicious command-line command executes automatically at the system’s startup. Figure 6\r\nshows the added auto-run item in the system registry.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 5 of 14\n\nFigure 6: Registry entry for persistence\r\nCorrespondingly, it:\r\n1\u003e Creates a folder named “Templates” under the %appdata% folder.\r\n2\u003e Copies the extracted 64-bit DLL into the new folder by executing the following command-line command:\r\n  “cmd.exe /c copy C:\\Users\\%username%\\AppData\\Local\\Temp\\AdobeID.pdf\r\n  C:\\Users\\%username%\\AppData\\Roaming\\Templates”\r\nFormbook Payload Download\r\nThe Formbook payload is disguised as a picture file (PNG) to be downloaded. The URL to the PNG file is:\r\n “hxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png”\r\nTo retrieve the payload, it uses multiple Windows API functions, including:\r\nWinHttpCrackUrl(),\r\nWinHttpOpen(),\r\nWinHttpConnect(),\r\nWinHttpOpenRequest(),\r\nWinHttpSendRequest(),\r\nWinHttpQueryOption(),\r\nWinHttpReceiveResponse(),\r\nWinHttpQueryDataAvailable()\r\nWinHttpReadData()\r\nPayload Analysis\r\nI manually downloaded the PNG file to analyze it. Its size is 0x47000 (284KB). I then observed that its content is\r\nencrypted rather than a legitimate PNG (Figure 7).\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 6 of 14\n\nFigure 7: The encrypted content of the downloaded “PNG” file\r\nThe malware then calls a function to decrypt the PNG file into the FormBook executable binary, as seen in Figure\r\n8. The decrypted FormBook can be seen in the memory at the bottom.\r\nThe decryption key is generated from a hardcoded string, “H1OX2WsqMLPKvGkQ.”\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 7 of 14\n\nFigure 8: Decrypted FormBook executable in memory\r\nPerforming Process Hollowing\r\nTo evade detection by endpoint security software, the FormBook payload executable is kept entirely in the\r\nmemory. Since it does not write the decrypted Formbook to a local file to execute, this is a fileless variant of\r\nFormBook.\r\nTarget Process\r\nThis variant of FormBook chooses “C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe” as a\r\ntarget process to run the decrypted FormBook via process hollowing.\r\nThe full path of the target process is hardcoded in the variant, which is passed to CreateProcessInternalW() API.\r\nIn Figure 9 below, we see that the process is about to call the CreateProcessInternalW() API, whose second\r\nparameter (RDX holds) is a string of the full path of the target process. The sixth parameter ([rsp+30]) represents\r\nthe CreationFlag.        \r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 8 of 14\n\nFigure 9: About to create a suspended target process\r\nThe value for the CreationFlag is 0x808040C, which is a combination of the following flags:\r\nCREATE_SUSPENDED\r\nDETACHED_PROCESS\r\nCREATE_UNICODE_ENVIRONMENT\r\nCREATE_NO_WINDOW\r\nThis ultimately creates a suspended “ImagingDevices.exe” process.\r\nMapping FormBook to Target Process\r\nThe malware employs sophisticated process injection techniques:\r\nIt creates a temporary and invisible file by calling two APIs:\r\nGetTempFileNameW()\r\nNtCreateFile()\r\nIt then calls NtWriteFile() to write the decrypted FormBook executable into the invisible temporary file.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 9 of 14\n\nFigure 10: Decrypted FormBook written to a hidden temporary file\r\nNext, it calls NtCreateSection() API to create a memory section object from the temporary file, whose file handle\r\nis passed to the API. It then maps the section object into the target process (ImagingDevices.exe) by calling the\r\nWindows native API NtMapViewOfSection(). It also returns the address of the mapped FormBook inside the\r\ntarget process.\r\nAt that point, the decrypted FormBook has been copied into the target process.\r\nRunning FormBook\r\nNext, it calls the Wow64GetThreadContext() API to retrieve the thread context (the CPU register value/state) of\r\nthe suspended target process. It then modifies the value of some registers so the target process points to the\r\nmapped FormBook.\r\nThe corresponding API, Wow64SetThreadContext(), is then called to apply the modified registers to the target\r\nprocess.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 10 of 14\n\nFigure 11: FormBook about to call the Wow64SetThreadContext() API\r\nFigure 11 shows the WOW64_CONTEXT data in memory. It only modifies two register values, EAX to\r\n0x6E1550 and EBX to 0x2D0D0.\r\nWhy does it only modify those two registers rather than EIP? The selective modification of only EAX and EBX\r\nbecomes clear when examining the target process's suspended state. The process has been intercepted at the\r\nexecution of RtlUserThreadStart(), where EAX holds the thread function address and EBX contains the parameter\r\nto be passed to this thread function.\r\nNow, the value of EAX holds the entry point of FormBook inside the target process, where FormBook’s base\r\naddress is 0x6E0000.\r\nIt finally calls the Windows native API, NtResumeThread(), to resume the target process, and the\r\nRtlUserThreadStart() API is invoked to run the FormBook payload in a newly created thread.\r\nSummary\r\nIn this first part of the blog series on the FormBook malware, I presented the entire process, from the phishing\r\nemail to how the FormBook payload is downloaded, decrypted, and deployed in a targeted process.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 11 of 14\n\nFigure 12: Workflow diagram of this FormBook campaign\r\nTo start, I presented the phishing email we discovered that was designed to trick recipients into opening a fake\r\nsales order attachment. Once the attached Word document is opened on the targeted device, it extracts a 64-bit\r\nDLL file, disguised as \"AdobeID.pdf,” into the system’s temporary folder. At the same time, it exploits the CVE-2017-11882 vulnerability in Microsoft Equation Editor 3.0 to execute the extracted DLL.\r\nThe DLL file is launched via rundll32.exe, establishing persistence on the victim’s system by adding an auto-run\r\nitem to the system registry. Additionally, it downloads and decrypts the FormBook executable file.\r\nI then provided a detailed explanation of how the decrypted FormBook payload is deployed in a target process\r\n(C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe) through process hollowing, as well as the\r\nWindows-native APIs it calls to accomplish this task.\r\nIn Part II of this series, I will present the anti-analysis techniques used in this variant of FormBook and how\r\nFormBook leverages the Heaven’s Gate technique to prevent analysis and detection. I’ll also cover how it collects\r\nsensitive data from the compromised device, its communications with its command and control (C2) server, and\r\nthe specific C\u0026C commands it uses to control the victim’s system. Stay tuned.\r\nFortinet Protections\r\nFortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, IPS,\r\nand AntiVirus services as follows:\r\nThe FortiGuard’s Anti-Botnet Service has blocked the DNS requests for downloading the FormBook variant.\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 12 of 14\n\nThe relevant URL downloading the PNG file is rated as “Malicious Websites” by the FortiGuard Web Filtering\r\nservice.\r\nFortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by\r\nFortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced\r\nprotection against both known and unknown phishing attempts.\r\nFortiGuard IPS service detects the vulnerability exploit against CVE-2017-11882 with the signature\r\n“MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption”.\r\nFortiGuard Antivirus service detects the malicious Word document, the embedded RTF file, the extracted 64-bit\r\nDll file as well as the decrypted FormBook with the following AV signatures.\r\nMSWord/Formbook.9184!tr\r\nRTF/CVE_2017_11882.FB!exploit\r\nW64/Formbook.RT!tr\r\nW32/Formbook.AA!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date\r\nprotections are already protected.\r\nTo stay informed of new and emerging threats, you can sign up to receive future alerts.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nURLs\r\nhxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png\r\nRelevant Sample SHA-256\r\n[order0087.docx]\r\n93CF566C0997D5DCD1129384420E4CE59764BD86FDABAAA8B74CAF5318BA9184\r\n[Algeria.rtf]\r\n7C66E3156BBE88EC56294CD2CA15416DD2B18432DEEDC024116EA8FBB226D23B\r\n[AdobeID.pdf]\r\n2E73B32D2180FD06F5142F68E741DA1CFF1C5E96387CEBD489AD78DE18840A56\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 13 of 14\n\n[Decrypted FormBook from PNG file]\r\n6AC778712DFFCE48B51850AC34A846DA357BE07328B00D0B629EC9B2F1C37ECE\r\nSource: https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nhttps://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i"
	],
	"report_names": [
		"infostealer-malware-formbook-spread-via-phishing-campaign-part-i"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc22dd805087095aa47e0467a57176699022a48a.pdf",
		"text": "https://archive.orkl.eu/dc22dd805087095aa47e0467a57176699022a48a.txt",
		"img": "https://archive.orkl.eu/dc22dd805087095aa47e0467a57176699022a48a.jpg"
	}
}