Select Page

Cyren Security Blog

Formbook Adds RTF Exploit to Its Delivery Methods

Formbook, a well-known family of malware that steals information by grabbing user input from forms, has been seen over the past months for actively repackaging itself to gain more ground in the threat landscape. This time we have seen a well-known RTF exploit, CVE-2017-11882, being used by threat actors to deliver this malware to unsuspecting users.

The RTF documents, detected by Cyren as RTF/CVE-2017-11882.S.gen!Camelot, have file sizes that range between 400KB up to 4.5MB, but the valid RTF objects only use up to around 10-12KB, which means a large part of the document is considered as garbage data to simply obfuscate and hide the exploit.

A quick view of the RTF document using the rtfobj tool shows that there are 2 embedded objects, a VBScript and an Equation.3 object, which is still widely seen as being exploited in the wild.


We have confirmed that the Equation.3 object is indeed exploited and used as the launcher for the embedded VBScript, with its main purpose of downloading and executing a base64 encoded Powershell script component from cdn.discordapp.com. The abuse on Discord’s content delivery network for purposes of serving malicious components is also evident after decrypting similar variants of the RTF exploits from this campaign. Shown below are snippets of the code and their decoded formats.


Reversed:


Decoded:


The downloaded data from Discord’s CDN, is a base64 encoded Powershell script that behaves similarly to a variant that was documented in November of 2020 (https://isc.sans.edu/forums/diary/PowerShell+Dropper+Delivering+Formbook/26806/), including the bypass of AMSI integration as highlighted in the decoded Powershell payload show below.


After bypassing AMSI a .NET compiled DLL encoded and stored in the variable $PROCESS_INFORMATION is decompressed and loaded as an assembly, which eventually executes a variant of Formbook using the code shown below.


Below is a view of the exported function from the loaded .NET compiled DLL used to execute the final malware payload.


Cyren detects these components as W32/Formbook.A.gen!Eldorado and W32/MSIL_Injector.XD.gen!Eldorado.

Indicators of Compromise

RTF SHA256                                                              Detection		                Payload URL                                                                                     Payload Status/SHA256
009D0EF39D7E7E7214A08FCCA41DBA4A317E9D7B49D7E92F49665789DEDFE095	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg	Forbidden
0696EB512977D206198880E11DB5D7EADED891169D1CF09B78A9C2F5882814E1	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/858636845646741525/858655966369939466/me[.]jpg	4cff6a218ea0f06863bdc1eb8b0c600eb713803ed0e33685cd0d2277efb6604e
06FE82A1C249FDC9887659328F84C40FFB6AD2C53C1DF734ACB792436BBF4AB5	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/863917896744697868/876624530662121562/dum[.]jpg	Forbidden
12CE6ADBD6DA928E954DA05CD0363C9298538503BFA7A7778110BFA87514ADF6	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/877304277800992781/877308571807784981/dity[.]jpg	6e6ffe5db47b18bef1bbee787ae536f96da9e0ff267d6938a4f3ea0e5cce6857
1325A3FE68BCA676F499F3966B4D79F7D92DF6314C6AF65E55F01896AD438178	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg	Forbidden
155B83A9EC6EA8E37DDD8EFC010A9B024C86D7DEA3F8C55807F808C64E422FCB	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/863919401534488586/uk2[.]jpg	ea2491a7bd87d63af00820ea351a683b53c5966ecbbafeb480544ea440ed6f56
184B11DDB5F12D820E029B7DF78715E3C3D9ABC96BFB068AD9AAF4791F18229E	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg	Forbidden
1FB37B8E7914F5F7B12921F8B26930B3F33BA0963BEB1E360B07F069909F5736	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862051211071193088/uk[.]jpg	Forbidden
264F0534CAB513547B16DD6089B22B8E87079D403159BA4550DC22C1C5BA4311	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/858636845646741525/858828768599736320/uk[.]jpg	d82a7a011b28ce2b812e470832a01796f4d6e321813ce5c1344a5098b2136b84
27BDD3B800ED7059278CD0CB0D9FB7AA6581F96FA786F2D3429B3B9688765E10	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/877304217600163853/877306586413023292/sedhy[.]jpg	eab9332fef5698637413fd1f106695769e54468bd064584ad7b26efae58322cf
28D683AAA60AF7E7B8D25B0906039A74C2DE39E48ECFE2973076C78D5D882568	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/861746472729706530/862052610085224469/chis[.]jpg	ed712a6f60b442feed47a8d3e8e27ed4c2c33afd2036011e2de3c650f5891c51
28F4DFC5BCD904D3E5F67424E54608A249414F0915AE4230AD12BC893D344343	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857370146892677153/857370572274663434/kachi[.]jpg	Forbidden
2CE818E435137213162003E2AAA89A4BDBB67BA9416283C3646D84D5393D685B	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/856468905680568333/857425173410218004/Ashole[.]jpg	Forbidden
311E2B73808FBB0B849C169592F49E5009E525292EF1A0E692CD88BBB543E6FC	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857370146892677153/857370259077988352/seliii[.]jpg	Forbidden
32904CCE1EED329EFC46EAFDB04E200EA32939056D9C45E12949F6ED96CA087C	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/877304217600163858/877306990811054090/selly[.]exe	Forbidden
3AD92D43C4253E6328109ECBC58AC02716B2CDEE641DABABD44C473D2BF72522	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/858828161671495680/mono[.]jpg	Forbidden
44F060EEFB28B1D90759EB517C0E134E52164A2701E4F4D9DDBBBD27F48CCE2C	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/858827264870711316/new[.]jpg	Forbidden
4969F69C96A5CBADD091548C50485899B1F5173C148445FA78CC182A224120F6	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/877302520832213017/877307513006080030/prpro[.]jpg	d50c10dd1c7f15ea44ad3cfd1fcd4a16a419f2b1be5f91d1bdc409cdf6115d9e
497A977375495AC590EE1CA2D037BB06E25ACE568747F8B9B5E1593A8D447865	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/859551163598897182/noe[.]jpg	Cloudflare Suspected as Phishing
4B8CB944B1BFA9C61BBCDB50C3255AE1061DA42899BDE8CF9FB0273C3786AF77	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg	Forbidden
4CBDD332E3CC18DA5B80DFFB8068D4F6BCED41852CFA54B956C03B024A7E5E62	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/857369777445666816/uk[.]jpg	Cloudflare Suspected as Phishing
67401DFB76DDB38A32E6692AB78A6D5CF8709F70B343012769891D6C9B5AF8BC	RTF/CVE-2017-11882.S.gen!Camelot	hxxp://149[.]28[.]255[.]25/non/uk[.]jpg	Forbidden
68B09A0C2CB7147702A5E200C77D95E5CE006DF063E692B7B528991FAB98D698	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/852313164061999177/852313406131142656/jet[.]jpg	Forbidden
6DFDEBC98DC7C59153BDB12EF95FC2CB9411CA0428481AE3DCFCE02EE8039477	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/877309226614153249/877310041630339092/uk[.]jpg	77b3cd4676b383df6fc73ccb375af1505a169171a228f2f802d34329c1452eb7
70D1A011E1090D8CF8A1F3763EA20C72704759C353F551C43051D116DEBC5CE0	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/851563285463695361/851563781062131742/mainuk[.]jpg	Forbidden
73F5B024E7C7242BF60841B1F9314ABA0A71001A2016EB49CBC96FFD49125759	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/861746472729706530/862053909036007424/neo[.]jpg	a98cb11f32aaf20a634f4bf3ac90f326981e2df8c6e178a339efcc732cbed53a
7914E3AD726925BEA9D685249ED34DB9373DD8E3486C293A3634EDFBDED94CDC	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg	Forbidden
7E56F75E20270E246612E230ACC8DB2D86AE9D8F8E0453B286BC0C108DD06C1B	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862051529418342463/862052202780819456/pro[.]jpg	6c216ddc59d5a4a2945faab5786e447720bb162c5fd3a245b6373b0985a95038
7F36B366BB0DECFAB65DA72CDBF1524687DCC7E8F3DB8D1EE3A95352C2E83B67	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/863917896744697868/876623958877831198/dit[.]jpg	Forbidden
7F37B2A036B189F5C691EDDD41960C1D23E879912D6FFA8C4B9E52BA533DB51B	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862090521044320296/kk[.]jpg	Forbidden
7FA2B0707E132F23FB58B562386FB691D6EBE35294F93F68BE1DE43297AF1C30	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/859535650280439838/min[.]jpg	Forbidden
86C06644B47777703101A6D8E81852435600AD193B72C2D44C2BE067CBEBB0F7	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862051529418342463/862051665875566622/se[.]jpg	038ed965ebe24f1c156b374486dd2cdb423ce5542cdacdb5a15d165bc8d90cec
88F76A8CE4D63F93390688297A06885F15F3436ABE4175AE538007A0484199C0	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/857369777445666816/uk[.]jpg	Cloudflare Suspected as Phishing
91EE2A99D9BCCBACF0427B3EDB77DE82FE6F31EC9D194AC5FC6E40A744725805	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/852311750077317195/852311806545362976/dumx[.]jpg	0639b11288df3a5d0552768a09cc759b1dfdbc0d4346a3e94a6fb7e36d401783
978D15E852F3CD2E7B420ABB7AA1CB579865AD880606981C48A67F8B86E9152E	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/853752928900743171/853753145162596382/2uk[.]jpg	Cloudflare Suspected as Phishing
9F1E8D6E132F28C26381AA260F984F86AC6ADC89D9D8A4C855995138E2484961	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/852313164061999177/852313406131142656/jet[.]jpg	Forbidden
9F3B874DBD102F68D6C1F77F0A393F4ACC59AE603D122CACFAD5232701BDB3EE	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/876493387455397942/876623240011841626/p[.]jpg	d50c10dd1c7f15ea44ad3cfd1fcd4a16a419f2b1be5f91d1bdc409cdf6115d9e
A9894D3DA0C489DB83A3579DB0FBB6F5F76A2EF6C2D6177B8572B989376533AB	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/861747648779649027/861749685525676052/neos[.]jpg	Forbidden
AEDC0D055A4753E7B137A3D0661731E0F455D2B8F4EE959B7732BEAF9E378499	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/859550558162518047/pp[.]jpg	Forbidden
BB87AF0F1E3D26780A77AC4EBE4B814810935D9C5ECDD5AE5FE90AEEBCB8015E	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/876493387455397942/876621659182874644/se[.]jpg	fc32f2d423d94e628a6b44331da96f68ae30c0b60ce521b143bf376ecc0111e6
CA88BC07598B37E8E2292F1A10E06C0ADB7C898D3F3039E53B18D77D7DB20105	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/852311750077317195/852312157709795348/zumx[.]jpg	cd1acbd3f8d40f59b6e45601863bbd6950a3ce0d60a5c291c3a303a11f505abb
DBCC4FE10CBBEDAB8CEA74C2BE3956E9AE3BFD7F180C8ABE5EC62AB7675F5DDD	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/863917896744697868/863919114955390976/pro[.]jpg	Forbidden
E2927074C551BB188B4C33BED9ADDC70C25DD3BB9A0F702874A6AE44039A3532	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/858827162500595715/858827757320404992/ukkni[.]jpg	Forbidden
E5E247EC942E77762120486C7C5B3DD2F4C600F9CA70037DDF4E5D99D5126806	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/862048781591904299/862050935912398878/shedy[.]jpg	Forbidden
EB171136FC6278864DD32189DA39106FE93B9CE615E3A72311C2A32C583E1738	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/858821743116025866/pro[.]jpg	Forbidden
ECCD3CC4B22869B3059427CA08A773926E078E31996DE9C1DEEB71160D04CEE4	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/877304277800992781/877307941764616262/dum[.]jpg	ebe51ebdb52ebfcd45c9b90d15f9d2142586194d6ce818640a799bf8bb1e5480
EE2C1AAA130A75F5C882A2D3F1DB2EED38C6A67EFEB8A2104CBA07C1FA0F02B7	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/857367161357860885/857369410172223538/pro[.]jpg	Forbidden
F611BA47D87C22DDA81B81909D4EAB3A4C2CF51E495459C262DD3B51E42B11A2	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/852272720120119330/852304158995513374/2ukl[.]jpg	Forbidden
FD01045F31EF0FECADCFF000EF64A9CAE53DC8CA6CAA6D109C233C6F2D8C2B14	RTF/CVE-2017-11882.S.gen!Camelot	hxxps://cdn[.]discordapp[.]com/attachments/861746472729706530/861749286299762708/pro[.]jpg	Forbidden

You might also like

Malware Detection: Protecting Against Ever-Evolving Threats

Supercharging Your Enterprise Malware Detection Organizational users rely on multiple tools and products to improve their productivity and collaboration. These enterprise tools allow companies to share a large number of files such as PDFs, documents, spreadsheets, and...

LinkedIn Phish Kit

Scam Warning Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more...