Weaponized Excel Files Used to Spread FormBook Malware: Old Vulnerability Still a Big Threat

Listen to this Post

Featured Image
Cyber Threat Alert: FormBook Malware Campaign Targets Outdated Microsoft Office Users

A newly discovered malware campaign is making waves in the cybersecurity world by targeting outdated Microsoft Office installations with weaponized Excel spreadsheets. The goal? To infect systems with the FormBook information-stealing malware. FortiGuard Labs reports that this sophisticated attack exploits a long-known vulnerability, CVE-2017-0199, which still affects many systems running Office 2007 through 2016. Despite being patched over eight years ago, the vulnerability is still being exploited due to poor patch management and legacy software use in organizations across the globe. By embedding malicious code within Excel attachments in phishing emails, attackers bypass user awareness and directly execute their payloads, compromising critical data and exposing victims to long-term espionage risks.

📌 Key Events and Attack Process (30-Line Overview)

Cybercriminals are using a dangerous combination of phishing tactics and unpatched software flaws to spread the FormBook malware. The attack starts with a seemingly innocent sales order email, containing a malicious Excel attachment. This spreadsheet is designed to exploit the OLE vulnerability (CVE-2017-0199) in older versions of Microsoft Office. When opened, the document triggers an HTTP request that downloads a malicious HTML Application (HTA) file. Using a combination of COM object exploitation and the mshta.exe utility, the HTA file silently executes without requiring further input from the user.

The payload, embedded as base64-encoded data, is then decoded and drops an executable named sihost.exe into the system’s %APPDATA% directory. Further analysis reveals anti-debugging tactics, such as the use of the IsDebuggerPresent API, intended to block security researchers from analyzing the malware.

But the threat doesn’t end there. The campaign also deploys a second-stage payload: a component called “springmaker,” extracted to the %TEMP% folder and decrypted using XOR with a hardcoded key. The final decoded payload is none other than FormBook, a potent info-stealer capable of collecting browser credentials, keystrokes, screenshots, and clipboard data.

Despite the availability of a patch since 2017, many organizations continue to run unpatched versions of Office due to outdated infrastructure or weak IT maintenance protocols. This makes them easy prey for such multi-layered cyber threats. Fortinet has confirmed that its tools can detect and block this campaign, but also warns organizations to urgently review their security policies, especially regarding email filters, patching routines, and employee awareness.

This incident underscores the reality that even mid-level attackers can launch high-impact operations simply by exploiting old vulnerabilities. As attackers get more creative, defenders must stay proactive, not reactive. The longer systems go unpatched, the easier they become targets for data theft, surveillance, and broader network compromise.

🔍 What Undercode Say:

This attack reflects a concerning pattern in modern cyber warfare: the revival of old vulnerabilities to launch new threats. FormBook is not a new player on the malware stage, but what makes this campaign dangerous is the attacker’s ability to automate and streamline their exploitation methods, targeting users through everyday business communication—specifically, email.

The use of phishing emails pretending to be sales orders leverages a common theme in business environments, making the bait believable. These documents exploit a known vulnerability in Office (CVE-2017-0199), which was originally patched in 2017. Yet due to lax patching policies and legacy dependencies, thousands of machines worldwide remain vulnerable. This points to a massive gap in cybersecurity hygiene—especially among small to mid-sized enterprises.

The

The anti-debugging feature in the payload, using the IsDebuggerPresent API, is another red flag. This indicates that attackers are well aware of how malware researchers operate and have designed their code to resist static and dynamic analysis. It’s a reminder that today’s malware isn’t just functional—it’s engineered to survive scrutiny.

FormBook itself is infamous for its data-stealing capabilities. From capturing browser logins to monitoring keystrokes and taking screenshots, it equips attackers with all the tools they need to establish persistent access, spy on users, and exfiltrate sensitive information over long periods. This could lead to corporate espionage, credential theft, and in some cases, even ransom demands.

The persistence of CVE-2017-0199 exploitation is a clear sign that awareness campaigns are falling short. Organizations are either unaware of the risks or are too tied to legacy systems to make necessary upgrades. Meanwhile, threat actors are evolving, using automation, scripting, and payload encryption to stay ahead.

This campaign serves as a wake-up call. If a vulnerability patched in 2017 is still being used effectively in 2025, then the real enemy isn’t the hacker—it’s the failure to prioritize updates. Organizations must embrace proactive patch management, train employees to spot phishing attempts, and deploy endpoint detection tools that recognize behavioral anomalies, not just static signatures.

✅ Fact Checker Results:

CVE-2017-0199 still actively exploited by malware in real-world campaigns: ✅ Yes ✔️
Payload confirmed as FormBook with typical info-stealing behaviors: ✅ Yes ✔️
Campaign detected by FortiGuard and analyzed with multiple SHA-256 hashes: ✅ Yes ✔️

🔮 Prediction:

If unpatched Office installations continue to exist within enterprise environments, exploitation campaigns like this one will persist and evolve. We can expect to see more modular attacks using low-level system tools like mshta.exe, and malware strains like FormBook could be updated with ransomware capabilities or lateral movement modules. Legacy software will remain a soft target unless organizations globally enforce stricter patch management and adopt a zero-trust security approach.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram