Formbook is a long-lived information stealer, which has been around for several years. We have also published about it in the past. A recent attack wave of Formbook was recently prevented by Deep Instinct in one of its customer sites. This wave appears to target victims globally. The attack begins with a malicious PDF dropper, which then drops an Office document, which in turn downloads the final Formbook payload.
Initial analysis of this PDF document aroused our suspicion, as it seems to exploit CVE-2017-11882, a known MS-Office equation editor vulnerability exploited often in Office and RTF documents. Upon further investigation, we found the PDF dropper employs an interesting infection chain, involving an Office file, which ends in the dropping and execution of the Formbook information stealer.
The infection flow starts with the victim receiving an email with a PDF attachment. The email subject is a standard quotation request, so the malicious PDF file tries to trick the victim by being named “REQUEST FOR QUOTE.pdf”. Based on the email recipient and Deep Instinct production telemetry, it appears this attack wave is targeting victims all around the globe.
Once the PDF is downloaded and executed, it runs an OpenAction event which leads to the user being presented with a decoy message, and a warning window, which asks the user if the file “is secured and verified however docx, PDF,.xlam” should be opened.
If the user opens the file, an XLAM (an Excel Macro-Enabled Add-In) document, which is embedded in the PDF, is executed. This document exploits CVE-2017-11882 to download the Formbook payload through svchost.exe. The document attempts to download the Formbook payload from hxxp://challengerevertprocessupdate.duckdns.org/office/vbc.exe. The PE payload has a PDF icon, to fool unsophisticated users.
Once the Formbook payload is downloaded, it performs the following actions, which are similar to previous Formbook campaigns:
The payload is signed with an invalid X509 certificate belonging to CyberLink Corp, which is a large multimedia software company located in Taiwan. Since the signature is invalid, it appears the attempts of the attacker to distribute this file as a signed CyberLink file were unsuccessful.
In this new attack wave, Formbook deploys several evasion and anti-analysis techniques, which complicate the analysis of each stage in the infection flow. Initially, the PDF file can’t be analyzed with regular PDF static analysis tools, such as Peepdf or pdftk, as both tools crash when trying to parse the file, probably due to mishandling of specific objects inside the malicious PDF file. In addition, the XLAM document arrives encrypted which complicates analysis with Office static analysis tools, such as oletools. However, the XLAM file is decrypted on execution and can be analyzed dynamically. XLAM is also a rarely used format, so it might not be blocked by certain network security products.
In addition, the final PE payload is written in .NET, and the .NET code of the file is highly obfuscated.
In this case, as well, the file can be analyzed dynamically without difficulty. It should be noted that encrypted or obfuscated Formbook samples written in .NET were also seen in previous attack waves of Formbook.
The malware also includes some additional evasion techniques, such as a long sleep (several minutes) and several methods to detect virtualization.
Attackers constantly evolve in order to try and evade security solutions and complicate the analysis of their malware. The complex execution flow of this Formbook attack is another innovative attempt by attackers to evade detection. In addition, the anti-analysis techniques incorporated in all files used in the infection flow are an attempt by attackers to make the characterization of the attack more difficult.
Deep Instinct’s customers are protected from this new attack wave of Formbook, which we prevent at the earliest possible stage.
PDF dropper: 520b9c0c81cd34a95c0439f8ed3addd5e39aed22de4798fb3ab9173f7fe251b1
XLAM dropper: e66786bb4fb9ec568a86c51a060284197f2342f09fd1a6568751d1570d9b36ee
PE payload: c7722bb0e745b981dc978a624139cf0cd6920a230c20ea552dfbd1a41be37849
PE X-509 SHA1 thumbprint: c55a46f6b27c446e4a6e74cfc7b376d18389d2b8
Additional PDF droppers