{
	"id": "2e6221c3-d54e-442f-bc15-6c64f9628b20",
	"created_at": "2026-04-06T00:22:08.079509Z",
	"updated_at": "2026-04-10T03:20:42.11531Z",
	"deleted_at": null,
	"sha1_hash": "e69610d875b0dd6e0592fc1894ca6333c87314d9",
	"title": "Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1560015,
	"plain_text": "Deep Analysis: FormBook New Variant Delivered in Phishing\r\nCampaign – Part II | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2021-04-21 · Archived: 2026-04-05 22:00:50 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected platforms: Microsoft Windows \r\nImpacted parties:    Windows Users\r\nImpact:                    Collect Sensitive Information from Victim’s Devices\r\nSeverity level:          Critical\r\nThis is part II of a threat analysis series examining a phishing campaign that FortiGuard Labs captured in our\r\nSPAM monitoring system. The sample we captured was attempting to deliver “FormBook” malware through a\r\nPowePoint document attached to an email. FormBook is a malware designed to steal sensitive information from a\r\nvictim’s device as well as to receive control commands to perform additional malicious tasks on that device. \r\nIn the Part I of my analysis, I explained how the VBA code in the PowerPoint file was used to download a\r\nPowerShell file, how it extracts a .Net framework file, and how the FormBook payload file is processed through\r\nthree .Net modules.\r\nIn this second part, we will examine what anti-analysis techniques FormBook performs, what Windows processes\r\nit focuses on, and how the FormBook malware running inside AddInProcess32.exe injects itself into a randomly-picked Window process. Furthermore, we will see how FormBook injects itself into a number of target processes\r\nthrough the Windows process.\r\nPayload File Runs in “AddInProcess32.exe”\r\nAs mentioned in part I of this analysis, a FormBook payload is injected into a newly-created process,\r\n“AddInProcess32.exe”, and the relevant registers are set to point to the entry of the injected FormBook. After that,\r\nthe entry point is called after executing the API ResumeThread() by the AMe8 module—which is the point that I\r\nwill start from in this post.\r\nThe payload file of the FormBook malware is a 32Bit Native Code PE file (an EXE file), not a .Net module.\r\nFigure 1.1 is a screenshot of the entry point function of FormBook.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 1 of 14\n\nFigure 1.1 - The entry point function of the FormBook malware\r\nConfiguration Object and Anti-Analysis Techniques\r\nConfiguration Object:\r\nBefore discussing the FormBook main module, I need to introduce a global configuration object (“ConfigObj”) or\r\nconfiguration block, which is frequently read and written throughout the entire FormBook malware. It occupies\r\n0xC9C bytes containing many configuration options, such as:\r\nthe base addresses of FormBook, and many Dll modules (ntdll.dll, kernel32.dll, advapi32.dll, etc.)\r\nencrypted Dll names like “kernel32.dll” and “advapi32.dll”, etc.\r\na “flag group” revealing whether FormBook is running in an analysis device\r\nmany encrypted blocks with string hash codes for retrieving APIs\r\nflags revealing if it is on a 32-bit or 64-bit platform\r\nmany API addresses (ExitProcess(), CreateProcessInternalW(), etc.)\r\nand so on\r\nFigure 2.1 is a screenshot of part of the ConfigObj in a memory view that had just been initialized.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 2 of 14\n\nFigure 2.1 - Memory view of part of ConfigObj\r\nAnti-analysis Techniques Used by FormBook:\r\n1. Imported APIs are hidden:\r\nFigure 2.2 – Example of hidden APIs with their hash codes\r\nAll APIs are hidden from analysts in FormBook. They are retrieved by a special function with the APIs’ name\r\nhash code. Some hash codes are given by constant value and some are decrypted from ConfigObj.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 3 of 14\n\nAs you can see, the code segment shown in Figure 2.2 is an example of obtaining two APIs via the renamed\r\nfunction get_API_by_name_hashcode() with their name’s hash codes, which are 0C84882B8h =\u003e\r\nCoCreateInstance() and 44E954F9h =\u003e CreateDirectoryW().\r\n2. Duplicating the ntdll.dll module:\r\nntdll.dll is the kernel layer DLL on Windows that provides NT kernel APIs. FormBook deploys a duplicated\r\nntdll.dll in its memory offering kernel APIs function instead of the original one that prevents researchers from\r\nidentifying the APIs. Figure 2.3 shows the duplicated ntdll.dll (0x810000) at the upper and the originally-loaded\r\nntdll.dll (0x77140000) at the bottom.\r\nFigure 2.3 – The duplicated ntdll.dll in Memory Map view\r\n3. Detecting whether it is running in an analysis environment:\r\nFormBook compares predefined hash codes in a list that is decrypted from ConfigObj with running process\r\nname’s hash code. It calls the API ZwQuerySystemInformation() with the parameter SystemProcessInformation to\r\ngather information about all running processes into a link structure.\r\nIt then calculates the process name’s hash code one by one and compares it against those predefined hash codes.\r\nThe process names corresponding to predefined hash codes are about VMware, Virtual Box, Sandboxie, Parallels\r\nDesktop, and other analysis tools for monitoring files, processes, and network and system registry events.\r\nFollowing is a list of those processes.\r\nvmwareuser.exe, vmwareservice.exe, VBoxService.exe, VBoxTray.exe, sandboxiedcomlaunch.exe,\r\nsandboxierpcss.exe, procmon.exe, filemon.exe, wireshark.exe, NetMon.exe, prl_tools_service.exe, prl_cc.exe,\r\nvmtoolsd.exe, vmsrvc.exe, vmusrvc.exe, python.exe, perl.exe, regmon.exe\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 4 of 14\n\nIt also records any match results as a flag in the “flag group” of ConfigObj.\r\n4. Detecting file names, user names, path:\r\nIt then calculates the hash codes of strings that are retrieved from current process names (the process name may be\r\nrenamed by researchers), user names (famous sandboxes use fixed user name), and the list of split strings of\r\nloaded modules’ path string (analysis tool’s modules). It then checks these hash codes with the predefined hash\r\ncodes in FormBook. The result affects the “flag group”.\r\n5. Detect any debuggers:\r\nNext, it retrieves the API ZwQueryInformationProcess() from the duplicated ntdll.dll and calls it with different\r\nparameters to obtain SystemKernelDebuggerInformation data. This is used to check the kernel debugger and\r\nProcessDebugPort data to identify a ring3 debugger. Figure 2.4 displays the two parameters used to obtain\r\ndebugger information.\r\nFigure 2.4 – Detecting the Kernel and Ring3 debugger\r\n6. Detect the time gap from executing instructions:\r\nThis detection has been disabled in this variant. It is used to determine if FormBook is being debugged by\r\ncomparing the gap time of executing ASM instructions \u003e 300h (should be less than 300h). It has hardcoded the\r\nvalue to 50h to disable this detection. It also records the result in the “flag group” in ConfigObj.\r\n7. Encrypted key functions:\r\nThere are five segments of key functions that are encrypted and decrypted before injecting into the target\r\nprocesses. The five segments are identified by five magic codes, which are 48909090h, 49909090h, 4A909090h,\r\n4B909090h, and 4C909090h.\r\n8. Using many undocumented APIs:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 5 of 14\n\nFormBook uses many low level undocumented APIs, such as LdrGetProcedureAddress(), LdrLoadDll(),\r\nZwOpenProcessToken(), ZwAdjustPrivilegesToken(), NtOpenProcessToken(), ZwReadVirtualMemory(),\r\nRtlQueryEnvironmentVariable(), RtlDosPathNameToNtPathName_U(), ZwDelayException(),\r\nZwQueueApcThread(), and so on.\r\nThe so-called “Undocumented API” simply means the API is hidden to Windows users. You are unable to gain\r\nany official description for the API from MSDN.\r\nThere is a special function to check the result in “flag group” that is set in some detections. Once one detection is\r\ntriggered, it returns 0, otherwise it returns 1.  Below is the pseudocode of this function, whose parameter is the\r\nConfigObj. The flag group occupies the bytes from offset 40 (0x28) to 55 (0x37).\r\nInt __cdecl sub_407D50(unsigned char* pConfigObj)\r\n{   \r\nreturn !*(pConfigObj + 41)  \u0026\u0026 *(pConfigObj + 42) \u0026\u0026 *(pConfigObj + 43) \r\n\u0026\u0026 !*(pConfigObj + 44)  \u0026\u0026 !*(pConfigObj + 45) \u0026\u0026 *(pConfigObj + 46) \r\n\u0026\u0026 !*(pConfigObj + 47)  \u0026\u0026 *(pConfigObj + 48)  \u0026\u0026 !*(pConfigObj + 49)  \r\n\u0026\u0026 *(pConfigObj + 50) \u0026\u0026 !*(pConfigObj + 51); \r\n}\r\nIf the result of the function is 0, it then exits the process without doing anything.\r\nYou cannot simply change the result (from 0 to 1) here to ignore detection and change the code flow. The reason is\r\nthat in the next step, the “flag group” (10H long) will be an RC4 seed to generate RC4 keys to finally decrypt\r\nother data, like module names such as “kernel32.dll” and “advapi32.dll”. It could also fail to load these modules if\r\nthe “flag group” is wrong.\r\nThe Outline of FormBook’s Tasks\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 6 of 14\n\nFigure 3.1 – Outline of what FormBook does on a victim’s device\r\nFigure 3.1, above, outlines most FormBook actions that are performed on a victim’s device. FormBook’s\r\nAddInProcess32.exe executable injects itself into a newly-created Windows process (like ipconfig.exe) that is\r\ncreated through Explorer.exe (steps 1, 2, and 3). Then, once FormBook is inside the Windows process, it injects\r\nmalicious code into target processes (FormBook focuses on 92 different target processes in total, including\r\n“iexplorer.exe”, “chrome.exe”, “skype.exe”, “outlook.exe”, “whatsapp.exe”, and so on) from which it steals\r\nvictim inputs and clipboard data from time to time (step 4).\r\nIt also uses a large, shared memory section for storing stolen data gathered from the FormBook instance running\r\ninside target processes and the FormBook instance running in a Windows process (step 5).\r\nThe stolen data is then sent to its C2 server via the FormBook instance running inside “Explorer.exe” (step 6).\r\nI will elaborate on how it performs these actions in the rest of this blog.\r\nDeploy FormBook Into a Windows Process via Explorer.exe \r\nThe FormBook payload running inside AddInProcess32.exe looks for Explorer.exe by comparing the hash codes\r\nof running processes’ names, which it obtains by calling the API ZwQuerySystemInformation() with the\r\nparameter 0x5 (SystemProcessInformation).\r\nThe hash code of explorer.exe is 19996921h. As you can see in Figure 4.1, it is an ASM code snippet showing you\r\nhow FormBook finds explorer.exe by comparing its hash code with the hash code of other processes through a\r\nfunction that I call match_hashcode().\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 7 of 14\n\nOnce explorer.exe is matched, the function returns 1 and FormBook proceeds to the next step. Otherwise, it\r\nretrieves the next running process name to match in a loop.\r\nFigure 4.1 – Code snippet comparing the explorer.exe hash code\r\nNext, FormBook opens the process handle of Explorer.exe, allocates memory to it, and then copies the entire\r\nFormBook payload into that Explorer.exe memory. It then proceeds to execute FormBook from the different entry\r\npoint within a newly-started thread of Explorer.exe.\r\nTo do this, it calls a number of APIs, including ZwOpenProcess(), ZwCreateSection(), ZwMapViewOfSection(),\r\nZwOpenThread(), ZwSuspendThread(), ZwGetContextThread(), ZwSetContextThread(), and ZwResumeThread().\r\nThe logic and features of the FormBook instance injected into Explorer.exe is very clear and simple. It is to run a\r\nrandomly selected Windows process (that locates at %Windir%\\system32\\) in suspended mode and return with the\r\nprocess status and information.\r\nThe Windows process name list is encrypted within ConfigObj (starting at offset +6Bh) and is picked by its index.\r\nIt has thirty-eight such Windows process names in total (the string index range is from 0x3 to 0x29), which are\r\ndecrypted and listed below:\r\n\"svchost.exe\", \"msiexec.exe\", \"wuauclt.exe\", \"lsass.exe\", \"wlanext.exe\", \"msg.exe\", \"lsm.exe\", \"dwm.exe\",\r\n\"help.exe\", \"chkdsk.exe\", \"cmmon32.exe\", \"nbtstat.exe\", \"spoolsv.exe\", \"rdpclip.exe\", \"control.exe\",\r\n\"taskhost.exe\", \"rundll32.exe\", \"systray.exe\", \"audiodg.exe\", \"wininit.exe\", \"services.exe\", \"autochk.exe\",\r\n\"autoconv.exe\", \"autofmt.exe\", \"cmstp.exe\", \"colorcpl.exe\", \"cscript.exe\", \"explorer.exe\", \"WWAHost.exe\",\r\n\"ipconfig.exe\", \"msdt.exe\", \"mstsc.exe\", \"NAPSTAT.EXE\", \"netsh.exe\", \"NETSTAT.EXE\", \"raserver.exe\",\r\n\"wscript.exe\", \"wuapp.exe\", \"cmd.exe\".\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 8 of 14\n\nFigure 4.2 – Display of one decrypted Windows process in Explorer.exe\r\nFigure 4.2 shows its random function and decryption function, as well as a just-decrypted Windows process\r\nnamed “ipconfig.exe”, with the random string index 0x20. I will use ipconfig.exe to explain how FormBook\r\nworks with a Windows process.\r\nIt first calls the API CreateProcessInternalW() with the ipconfig.exe full path and dwCreationFlags parameter of\r\n0x800000C, which means “CREATE_NO_WINDOW|CREATE_SUSPENDED|DETACHED_PROCESS”. This\r\nwill then start ipconfig.exe with no window and in suspended mode.\r\nThe FormBook instance in Explorer.exe will continue to collect the process information of ipconfig.exe (such as\r\nits full path, the process ID, the thread ID, loaded base address, etc.) and return them to FormBook in\r\nAddInProcess32.exe. At this point, the work of FormBook inside Explorer.exe is done.\r\nWhy doesn’t it run the Windows process directly, rather than through Explorer.exe? In some analysis tools, doing\r\nit this way shows that the Windows process (ipconfig.exe) was started from Explorer.exe, the same as normal\r\nprocesses started by the victim. This helps hide itself from analysts as well as the victim. Another trick it uses is\r\nthat the processes are all Windows default processes, which makes it less likely for users and analysts to connect it\r\nto a malware. As you can see in Figure 4.3 taken from the Explorer process, ipconfig.exe is recognized under\r\nexplorer.exe, which is the same as other processes, such as “notepad.exe” and “calc.exe”, which I opened by\r\ndouble clicking their icons.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 9 of 14\n\nFigure 4.3 – ipconfig.exe is recognized under explorer.exe\r\nFormBook in AddInProcess32.exe then obtains the process information of the suspended ipconfig.exe that is\r\nreturned from Explorer.exe. It is then able to copy the FormBook payload file into ipconfig.exe and modify its\r\nmain thread’s entry point code to the new entry point of the injected FormBook. It eventually calls the API\r\nZwResumeThread() to resume ipconfig.exe in order to execute FormBook’s malicious code. At the same time, it\r\ncalls ExitProcess() to terminate the lifetime of the FormBook instance injected into AddInProcess32.exe.\r\nFormBook in Windows Process is Injected Into Target Processes\r\nThe injected FormBook instance running in a Windows process, like ipconfig.exe, takes the control of maintaining\r\nits life on the victim’s device.\r\nFirst, it initializes its own ConfigObj and performs the detections that I explained earlier in the anti-analysis\r\nsection.\r\nIt is then time for FormBook to decrypt five key functions that will be called within target processes after\r\nFormBook has been injected into them. It has a magic code for each of these functions, which are 48909090h,\r\n49909090h, 4A909090h, 4B909090h, and 4C909090h. \r\nFormBook finds the encrypted code by searching the magic codes in the entire code section and then decrypts\r\nthem using an RC4 algorithm. The RC4 decryption key is generated from data in ConfigObj. Figure 5.1 shows the\r\nencrypted code for a key function for magic code 48909090h on the left side, and the decrypted code on the right\r\nside.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 10 of 14\n\nFigure 5.1 – Display of both encrypted and decrypted code for a key function\r\nThe five decrypted key functions are used to perform C2 relevant work, like decrypting the C2 host strings,\r\nloading network APIs, and communicating with C2 servers, etc.\r\nA function in FormBook focuses on filtering target processes from gathered current processes by calling the API\r\nZwQuerySystemInformation() with the SystemProcessInformation parameter by comparing a process name’s hash\r\ncode with the predefined hash codes in FormBook that are saved in ConfigObj. Once a process’s hash code is\r\nmatched with its predefined hash code, it initiates a function to inject FormBook into the matched process and\r\nthen executes code from different entry points set inline hooks for stealing data.\r\nFigure 5.2 shows a pseudocode of the code flow structure of how FormBook filters a target process and calls a\r\nfunction to inject FormBook into that process once the process name matches a predefined hash code. FormBook\r\nperforms this check every five seconds to better cover newly opened target processes.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 11 of 14\n\nFigure 5.2 – Pseudocode of the code-flow finding target processes\r\nThere are a total of 92 predefined target processes in this variant of FormBook, which has an encrypted hash code\r\nlist of process names saved in ConfigObj, starting at offset + 444h. I haven’t yet defined all of the target process\r\nnames by their hash codes. However, through my analysis, I have identified most of the products the target\r\nprocesses belong to. They can be divided into several categories based on their features, as shown below:\r\nWeb browsers:\r\nGoogle Chrome, Microsoft IE and Edge, Mozilla Firefox, Opera Browser, Apple Safari, Torch Browser, Maxthon\r\nBrowser, SeaMonkey Browser, Avant Browser, Comodo Dragon and IceDragon, K-Meleon Browser, BlackHawk\r\nBrowser, Cyberfox Browser, Vivaldi Browser, Lunascape Browser, Epic Browser, Midori Browser, Pale Moon\r\nBrowser, QtWeb Browser, Falkon Browser, UCBrowser, Waterfox Browser, and so on. \r\nEmail clients:\r\nMicrosoft Outlook, Pocomail, Opera Mail, Tencent Foxmail, IncMail, Mozilla Thunderbird, Google Gmail\r\nNotifier Pro, and so on.\r\nIM clients:\r\nYahoo Messenger, ICQ, Pidgin, Trillian, Microsoft Skype, FaceBook WhatsApp, and so on.\r\nFTP clients:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 12 of 14\n\nEstsoft ALFTP, NCH Classic FTP, Core Ftp, FAR Manager, FileZilla, FlashFXP, NCH Fling, FTP Voyager,\r\nWinSCP, and so on.\r\nOthers:\r\nWindows Notepad and “Explorer.exe”.\r\nThe detailed target processes are\r\n\"iexplore.exe\", \"firefox.exe\", \"chrome.exe\", \"microsoftedgecp.exe\", \"opera.exe\", \"safari.exe\", \"torch.exe\",\r\n\"Maxthon.exe\", \"seamonkey.exe\", \"avant.exe\", \"dragon.exe\", \"icedragon.exe\", \"kmeleon.exe\", \"blackhawk.exe\",\r\n\"Cyberfox.exe\", \"Vivaldi.exe\", \"luna.exe\", \"Epic.exe\", \"Midori.exe\", \"palemoon.exe\", \"QtWeb.exe\",\r\n\"qupzilla.exe\", \"UCBrowser.exe\", \"Waterfox.exe\", \"notepad.exe\", \"explorer.exe\", \"outlook.exe\", \";poco.exe\",\r\n\"operamail.exe\", \"foxmail.exe\", \"incmail.exe\", \"thunderbird.exe\", \"Barca.exe\", \"gmailNotifierPro.exe\",\r\n\"yahoomessenger.exe\", \"icq.exe\", \"pidgin.exe\", \"Trillian.exe\", \"skype.exe\", \"WhatsApp.exe\", \"alftp.exe\",\r\n\"classicftp.exe\", \"coreftp.exe\", \"Far.exe\", \"filezilla.exe\", \"FlashFXP.exe\", \"fling.exe\", \"FTPVoyager.exe\",\r\n\"WinSCP.exe\".\r\nIt calls the API ZwOpenProcess() and then ZwCreateSection() to open a target process and then create a section of\r\nmemory in it. Next, it transfers the entire FormBook along with the decrypted five key functions into the section.\r\nIt then executes it from a new entry points within a newly-created thread in the target process. \r\nConclusion on Phishing Campaign\r\nIn this part II, I started my analysis from the point where the FormBook payload file is injected into the\r\nAddInProcess32.exe process. At first, I introduced an important data structure—Configuration Object—which\r\nholds the key configuration data that is used throughout FormBook for whatever it is injected into. I then\r\nelaborated on the anti-analysis techniques that FormBook performs, how it then selects a process from the thirty-nine Windows processes (like ipconfig.exe) it looks for, and then injects FormBook using Explorer.exe as a\r\nmiddle process. And finally, through my research on the hash codes of the process name, I was able to recover\r\nmost of the target processes that FormBook is interested in.\r\nIn the final part of this analysis, I will explain how FormBook establishes inline hooks on some APIs inside target\r\nprocesses, what kind of data it can steal from a victim’s device, how the stolen data is sent to the C2 server, what\r\nits control commands are able to do on a victim’s machine, as well as the strategy used to have various FormBook\r\ninstances work together across the Windows processes (ipconfig.exe), Explorer.exe, and target processes.\r\nFortinet Protections\r\nFortinet customers are already protected from this FormBook variant with FortiGuard’s Web Filtering and\r\nAntiVirus services, as follow:\r\nThe download URL launched from the PowerPoint sample is rated as \"Malicious Websites\" by the FortiGuard\r\nWeb Filtering service.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 13 of 14\n\nThe attached PowerPoint file is detected as “VBA/FormBook.C393!tr” and the “item3.jpg” file is detected as\r\n\"MSIL/FormBook.ZXL!tr\" and blocked by the FortiGuard AntiVirus service.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The\r\nFortinet AntiVirus engine is a part of each of those solutions as well. As a result, customers who have these\r\nproducts with up-to-date protections are protected.\r\nBesides, FortiSandbox is able to detect the PowerPoint sample as malicious.\r\nWe also suggest our readers to go through the free NSE training -- NSE 1 – Information Security Awareness,\r\nwhich has a module on Internet threats designed to help end users learn how to identify and protect themselves\r\nfrom phishing attacks.\r\nLearn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and\r\nServices portfolio.\r\nLearn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training\r\nprogram, Security Academy program, and Veterans program.\r\nSource: https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii"
	],
	"report_names": [
		"deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii"
	],
	"threat_actors": [],
	"ts_created_at": 1775434928,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e69610d875b0dd6e0592fc1894ca6333c87314d9.pdf",
		"text": "https://archive.orkl.eu/e69610d875b0dd6e0592fc1894ca6333c87314d9.txt",
		"img": "https://archive.orkl.eu/e69610d875b0dd6e0592fc1894ca6333c87314d9.jpg"
	}
}