Hackers Deploy FormBook Malware via Weaponized Excel Files to Target Windows Systems

A critical phishing campaign targeting Windows users has been uncovered by FortiGuard Labs, leveraging malicious Excel attachments to exploit a long-standing vulnerability in older versions of Microsoft Office.

This sophisticated attack distributes FormBook, a notorious information-stealing malware designed to harvest sensitive data such as login credentials, keystrokes, and clipboard information.

Phishing Campaign Exploits Old Microsoft Office

The campaign, detailed in the 2025 Global Threat Landscape Report, initiates with deceptive emails posing as sales orders, urging recipients to open the attached Excel file.

According to FortiGuard Labs Report, these emails, flagged by FortiMail as containing a virus, exploit CVE-2017-0199, an eight-year-old logic vulnerability in Office 2007/2010/2013/2016, for which patches have been available but are inconsistently applied due to outdated systems or remediation challenges.

The attack unfolds through a meticulously orchestrated multi-stage process. Upon opening the malicious Excel file in a vulnerable Office environment, the exploit triggers an HTTP request to a remote server, retrieving a malicious HTA (HTML Application) file via a redirected URL (hxxps://agr.my/P6bJNr).

This file, laden with base64-encoded content, downloads additional payloads into the %APPDATA% directory for execution.

Multi-Stage Attack Delivers FormBook Payload

Further analysis reveals the deployment of a file named “sihost.exe,” which contains unformatted resource data compiled using AutoIt scripts, identified by specific byte sequences.

This file employs anti-debugging tactics like the IsDebuggerPresent API to evade analysis, decrypts a resource called “SCRIPT,” and extracts another file, “springmaker,” to the %TEMP% directory.

After decoding “springmaker” using an XOR operation with the key “3NQXSHDTVT2DPK06,” the core payload FormBook malware is unleashed, posing a severe threat by taking control of victims’ devices and extracting sensitive information.

Fortinet’s protective measures, including FortiGuard’s AntiSPAM, Web Filtering, IPS, and AntiVirus services, have already flagged associated URLs as malicious and detected the exploit with signatures like “MS.Office.OLE.autolink.Code.Execution” and “W32/Formbook.AA!tr,” ensuring robust defense for users with up-to-date systems.

This campaign underscores the persistent danger of legacy vulnerabilities like CVE-2017-0199, which continue to be exploited due to organizational negligence or technical constraints in patching.

Windows users are strongly advised to update their software, apply patches diligently, and remain vigilant against unsolicited email attachments.

For deeper insights, Fortinet offers resources like the NSE 1 training on phishing awareness and encourages contacting their Global FortiGuard Incident Response Team if a breach is suspected.

Indicators of Compromise (IOCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here