Tuesday, May 6, 2025
Homecyber securityHackers Exploit Weaponized Word Docs to Steal Windows Login Credentials

Hackers Exploit Weaponized Word Docs to Steal Windows Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated phishing campaign has been uncovered by Fortinet’s FortiGuard Labs, targeting Windows users with malicious Word documents designed to steal sensitive data.

Disguised as legitimate sales orders, these emails trick recipients into opening attachments that exploit a known vulnerability, CVE-2017-11882, in Microsoft Equation Editor 3.0.

This remote code execution flaw allows attackers to execute harmful code on the victim’s system, ultimately deploying a new variant of the FormBook information-stealing malware.

- Advertisement - Google News

FormBook is notorious for harvesting credentials, keystrokes, screenshots, and clipboard data, posing a severe threat to personal and organizational security.

Technical Breakdown of the Attack Chain and FormBook Deployment

The attack begins with a phishing email flagged by FortiMail as containing a virus, yet crafted to appear urgent and legitimate, prompting users to open the attached Word document, often named something innocuous like “order0087.docx.”

 Login Credentials
Workflow diagram of this FormBook campaign

Saved in OOXML format, the document embeds an obfuscated RTF file, “Algeria.rtf,” which contains malicious binary objects.

One object is a 64-bit DLL file, “AdobeID.pdf,” extracted to the %temp% folder, while another exploits CVE-2017-11882 via crafted equation data, triggering a buffer overflow in EQNEDT32.EXE.

According to the Report, this leads to the execution of the DLL via rundll32.exe, with a crafted WinExec() API call facilitating the process.

The DLL establishes persistence by adding a registry key under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ensuring it runs on system startup.

It then downloads an encrypted payload disguised as a PNG file from a malicious URL, decrypts it using a hardcoded key (“H1OX2WsqMLPKvGkQ”), and reveals the fileless FormBook executable.

To evade detection, the malware uses process hollowing, injecting itself into a legitimate process like “ImagingDevices.exe” under Windows Photo Viewer.

By creating a suspended process with specific CreationFlags (e.g., CREATE_SUSPENDED), mapping the decrypted FormBook into its memory via NtMapViewOfSection(), and adjusting thread context with Wow64SetThreadContext(), the malware runs stealthily, avoiding traditional file-based detection.

This intricate chain from phishing to payload deployment highlights the attackers’ focus on evasion and persistence, making this variant particularly dangerous.

 Login Credentials
 Inner view of the Word document

Fortinet’s protections, including AntiSPAM, Web Filtering, IPS, and AntiVirus services, have already flagged and mitigated this threat through signatures like “MSWord/Formbook.9184!tr” and by blocking associated malicious URLs and DNS requests.

Users are urged to remain vigilant and update their systems to defend against such advanced threats.

Indicators of Compromise (IOCs)

TypeValue
URLhxxps://www2[.]0zz0[.]com/2025/02/02/10/709869215.png
order0087.docx SHA-25693CF566C0997D5DCD1129384420E4CE59764BD86FDABAAA8B74CAF5318BA9184
Algeria.rtf SHA-2567C66E3156BBE88EC56294CD2CA15416DD2B18432DEEDC024116EA8FBB226D23B
AdobeID.pdf SHA-2562E73B32D2180FD06F5142F68E741DA1CFF1C5E96387CEBD489AD78DE18840A56
Decrypted FormBook SHA-2566AC778712DFFCE48B51850AC34A846DA357BE07328B00D0B629EC9B2F1C37ECE

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...