Ahmed Sonbol

Malspam delivers FormBook InfoStealer 01-08-2018

Blog Post created by Ahmed Sonbol Employee on Jan 9, 2018

Malspam activity was observed on January 8th 2018 delivering FormBook malware. FormBook is a data stealer and form grabber available on various hacking forums since early 2016. Its capabilities include clipboard monitoring, keyboard logging, taking screenshots, grabbing form data and collecting passwords from browsers and email clients. More information about the malware can be found in this blog post by FireEye security researchers.


The delivery document Tax Reform.doc uses macros to help delivering the payload to a victim machine.



The following screenshots show the results of scanning the document using RSA pre-release What's This File service including signs of an auto launch script.




Upon enabling the macro, the code runs and a binary is downloaded to the victim machine. Notice the absence of typical fields in the HTTP GET request and the usage of a unique User-Agent string.






VirusTotal scan results can be found here. Analysis report from hybrid-analysis.com suggests it is a FormBook variant.


Upon execution of the binary, it checks in with a list of C2 servers. 





After checking in, the malware posts data to the server in an encoded/encrypted format.




Delivery document Tax Reform.doc (SHA256):

  • 9441d7811e869d50e7c340c622a57c14004682573ff6d5d43fca4d0be6aca102


FormBook binary bin.exe (SHA256):

  • 391971ca3923a45997633275249dcd5bedf2b11f165646671e4359afa3fec4b4