Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Control and Collect Sensitive Information from a Victim’s Device
Severity level: Critical

FortiGuard Labs recently observed a high-severity phishing campaign targeting old version Office Application users through malicious email attachments. The emails deliver an Excel file designed to exploit the CVE-2017-0199 vulnerability, a known flaw in old version Microsoft Office's OLE (Object Linking and Embedding) functionality. The malware being spread in this campaign is FormBook, an information-stealing malware known for its ability to capture sensitive data, including login credentials, keystrokes, and clipboard information. Upon opening the malicious Excel file, the malware performs a series of operations, ultimately running the FormBook payload.

Phishing Email Initialization

The phishing campaign starts with an email disguised as a sales order urging the recipient to open an attached Excel document. As shown in Figure 1, FortiMail has flagged the email as “[virus detected]” in the Subject line to warn the recipient.

Figure 1: Example of the Phishing Email

CVE-2017-0199

CVE-2017-0199 is a logic vulnerability found in older versions of the Office Application (Office 2007/2010 /2013 /2016). When a user opens the attached Office document targeting this vulnerability, the program sends an HTTP request to a remote server to retrieve a malicious HTA file. The program then uses COM objects to find the application/HTA file handler, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script.

Figure 2 shows how CVE-2017-0199 works:

Figure 2: Demo for CVE-2017-0199

We opened the Office document from the email attachment using a compression program, which allowed us to directly view the OLE object content, as shown in Figure 3. If we had opened the Office document within a vulnerable version of Office, it would have triggered CVE-2017-0199, causing the download and execution of the linked content.

As you can see, this is a very long URL. However, when accessing it normally, we don't need to pay attention to the content between the protocol and the '@' symbol. This allows us to obtain the actual URL we need. (hxxps[:]//agr[.]my/P6bJNr)

Figure 3: Content of OLE Object

Figure 4: 302 Redirect to the Actual URL

Figure 4 shows the discovery of the shortened URL. When this link is accessed, it triggers a 302 redirect that jumps to the actual destination address.

If you would like to learn this vulnerability in greater depth, this article provides a more thorough analysis: An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability

CVE-2017-0199 is a vulnerability dating back eight years, for which official patches have already been released. Nevertheless, due to the inherent challenges of vulnerability management and remediation—encompassing outdated software systems, overburdened IT teams, organizational negligence, or technical incompetence—organizations that fail to promptly update their systems, apply patches inconsistently, or implement security measures carelessly remain susceptible to exploitation of this vulnerability.

Malicious HTA file

We can see that the downloaded script is an HTA file (Figure 5), with its main execution logic being a segment of base64-encoded content.

Figure 6: Base64 Decoded Payload

“sihost.exe”

By analyzing sections of the obtained sample, we observed that its .rsrc section contains an unformatted resource data entry named “SCRIPT,” as shown in Figure 7. Examining its content revealed that it begins with the byte sequence “A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D”, which is characteristic of executable files generated by Aut2Exe from AutoIt scripts.

Figure 8: Sample Attempting to Read a Resource Named "SCRIPT" from its .rsrc Section

Figure 9: Anti-Debugging by IsDebuggerPresent

Figure 10: Decrypt Script During Runtime

AutoIt Script

After thorough analysis, we discovered that the script decodes the encoded content using 0x1Em and extracts a file called “springmaker” from itself to the %TEMP% directory. It then calls CallWindowProc to run the decoded content, as shown in Figure 11.

Figure 11: Decrypted AutoIt Script

Figure 12: Decoding springmaker

At this point, we have finally obtained the core payload, which is the FormBook malware, as shown in Figure 13.

If you would like to learn more about FormBook, here is a recent analysis: Infostealer Malware FormBook Spread via Phishing Campaign – Part II

Summary

This is a serious phishing campaign targeting Windows users. The attackers send emails with malicious Excel attachments that exploit the CVE-2017-0199 vulnerability to deploy the FormBook malware. The attack process involves distributing malicious Excel files through phishing emails and exploiting CVE-2017-0199 to download and execute malicious HTA files. The HTA file downloads and executes "sihost.exe," which in turn extracts "springmaker." Finally, the "springmaker" file is decoded into the FormBook malware. The entire process is shown in Figure 14. This attack aims to take control of victims' devices and steal sensitive information, posing a significant threat.

Fortinet Protections

Fortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, IPS, and AntiVirus services as follows:

The relevant URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by FortiSandbox, embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions, provides advanced protection against both known and unknown phishing attempts.

FortiGuard IPS service detects the vulnerability exploit against CVE-2017-0199 with the signature “MS.Office.OLE.autolink.Code.Execution”.

FortiGuard Antivirus service detects the malicious Excel document, the HTA file, the malicious sihost.exe file as well as the decrypted FormBook with the following AV signatures.

MSExcel/CVE_2017_0199.G1!exploit
VBS/Obfuscated.AO!tr
AutoIt/Injector.GKX!tr
W32/Formbook.AA!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date protections are already protected.

To stay informed of new and emerging threats, you can sign up to receive future alerts.

We also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

URLs

hxxp[:]//172[.]245[.]123[.]32/xampp/hh/wef[.]hta
hxxp[:]//172[.]245[.]123[.]32/199/sihost[.]exe

Relevant Sample SHA-256:

[AprilSAO2025.xls]
33A1696D69874AD86501F739A0186F0E4C0301B5A45D73DA903F91539C0DB427

[wef.hta]
2BFBF6792CA46219259424EFBBBEE09DDBE6AE8FD9426C50AA0326A530AC5B14

[siHOST.exe]
7E16ED31277C31C0370B391A1FC73F77D7F0CD13CC3BAB0EAA9E2F303B6019AF

[springmaker]
A619B1057BCCB69C4D00366F62EBD6E969935CCA65FA40FDBFE1B95E36BA605D

[FormBook / Decrypted springmaker]
3843F96588773E2E463A4DA492C875B3241A4842D0C087A19C948E2BE0898364