Date: 06/06/2025
Severity: High
Summary
Our team recently identified a high-severity phishing campaign targeting users of outdated Microsoft Office applications through malicious email attachments. The emails contain an Excel file that exploits the CVE-2017-0199 vulnerability in the OLE (Object Linking and Embedding) feature of older Office versions. The campaign distributes FormBook, an infostealer malware capable of capturing login credentials, keystrokes, and clipboard data. Once the malicious file is opened, a sequence of actions is triggered to deploy the FormBook payload.
Indicators of Compromise (IOC) List
Domains\URLs: | http://172.245.123.32/xampp/hh/wef.hta http://172.245.123.32/199/sihost.exe |
Hash : | 33A1696D69874AD86501F739A0186F0E4C0301B5A45D73DA903F91539C0DB427
2BFBF6792CA46219259424EFBBBEE09DDBE6AE8FD9426C50AA0326A530AC5B14
7E16ED31277C31C0370B391A1FC73F77D7F0CD13CC3BAB0EAA9E2F303B6019AF
A619B1057BCCB69C4D00366F62EBD6E969935CCA65FA40FDBFE1B95E36BA605D
3843F96588773E2E463A4DA492C875B3241A4842D0C087A19C948E2BE0898364
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "http://172.245.123.32/xampp/hh/wef.hta" or url like "http://172.245.123.32/xampp/hh/wef.hta" or siteurl like "http://172.245.123.32/xampp/hh/wef.hta" or domainname like "http://172.245.123.32/199/sihost.exe" or url like "http://172.245.123.32/199/sihost.exe" or siteurl like "http://172.245.123.32/199/sihost.exe" |
Hash : | sha256hash IN ("2BFBF6792CA46219259424EFBBBEE09DDBE6AE8FD9426C50AA0326A530AC5B14","33A1696D69874AD86501F739A0186F0E4C0301B5A45D73DA903F91539C0DB427","A619B1057BCCB69C4D00366F62EBD6E969935CCA65FA40FDBFE1B95E36BA605D","7E16ED31277C31C0370B391A1FC73F77D7F0CD13CC3BAB0EAA9E2F303B6019AF","3843F96588773E2E463A4DA492C875B3241A4842D0C087A19C948E2BE0898364")
|
Reference:
https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload