How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload

June 8, 2025, 4:35 p.m.

Description

A high-severity phishing campaign targeting old version Office Application users exploits CVE-2017-0199 vulnerability to deliver FormBook malware. The attack begins with an email containing a malicious Excel attachment. When opened, it triggers the vulnerability, downloading and executing a malicious HTA file. This file then downloads and runs 'sihost.exe', which extracts and decodes 'springmaker', ultimately revealing the FormBook payload. The malware aims to capture sensitive data, including login credentials, keystrokes, and clipboard information. Despite being an 8-year-old vulnerability with available patches, organizations remain vulnerable due to challenges in vulnerability management and remediation. The attack process involves multiple stages of encryption and anti-debugging techniques to evade detection.

External References

https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
https://otx.alienvault.com/pulse/68421bec29671c607cbdcba6
Tags
phishing
autoit
formbook
CVE-2017-0199
2025-06-05
hta
information-stealer

Date

  • Created: June 5, 2025, 10:36 p.m.
  • Published: June 5, 2025, 10:36 p.m.
  • Modified: June 8, 2025, 4:35 p.m.

Indicators

  • a619b1057bccb69c4d00366f62ebd6e969935cca65fa40fdbfe1b95e36ba605d
  • 3843f96588773e2e463a4da492c875b3241a4842d0c087a19c948e2be0898364
  • 7e16ed31277c31c0370b391a1fc73f77d7f0cd13cc3bab0eaa9e2f303b6019af
  • 2bfbf6792ca46219259424efbbbee09ddbe6ae8fd9426c50aa0326a530ac5b14
  • 33a1696d69874ad86501f739a0186f0e4c0301b5a45d73da903f91539c0db427
  • 172.245.123.32
  • http://172.245.123.32/199/sihost.exe
  • http://172.245.123.32/xampp/hh/wef.hta
Download all indicators here!

Attack Patterns

  • FormBook

Linked vulnerabilities

CVE-2017-0199

None
Published: