Security researchers at Fortinet’s FortiGuard Labs have uncovered a sophisticated phishing campaign that uses weaponized Microsoft Word documents to deliver information-stealing malware to unsuspecting Windows users.
The attack exploits a well-known vulnerability to deploy FormBook, a dangerous malware variant designed to harvest sensitive user credentials and data.
The campaign begins with seemingly innocent emails disguised as sales orders, urging recipients to open attached Word documents.
.png
)
Exploited 17-year-old-vulnerability
Upon opening these documents, users unwittingly trigger an exploit targeting the CVE-2017-11882 vulnerability, a 17-year-old security flaw in Microsoft Office’s Equation Editor component.
“This vulnerability allows attackers to execute remote code on a vulnerable machine even without user interaction after a malicious document is opened,” explained security researchers at Trend Micro in their analysis of similar attacks.
According to FortiGuard Labs’ investigation, the attack process is highly sophisticated. When the malicious Word document is opened, it immediately extracts a disguised DLL file into the system’s temporary folder while simultaneously exploiting the Equation Editor vulnerability to execute the extracted file.
The malware then establishes persistence on the victim’s system by adding an auto-run registry entry and downloads an encrypted payload disguised as a PNG image file.
Using advanced process hollowing techniques, it injects the FormBook malware into legitimate Windows processes to evade detection.
FormBook is particularly dangerous as it steals sensitive data from compromised systems, including stored credentials from popular software, keystrokes, screenshots, and clipboard data. This gives attackers comprehensive access to victims’ digital lives and accounts.
This campaign represents part of a growing trend. Researchers have identified multiple threat actors actively weaponizing Microsoft Office documents to steal credentials.
In January 2018, Rhino Labs discovered attackers using Microsoft Word’s subDoc feature to steal Windows NTLM password hashes, enabling them to crack passwords and gain unauthorized network access.
Security experts have recently uncovered “CarnavalHeist,” another malware variant targeting users through weaponized Word documents.
According to Cisco Talos researchers, this malware specifically targets Brazilians, using Portuguese-language phishing lures to trick users into opening malicious attachments.
Even more concerning, in March 2025, researchers identified a zero-day vulnerability affecting all major Windows versions that allows hackers to steal passwords without any user interaction beyond simply viewing a malicious file in Windows Explorer.
Fortinet notes that its customers are protected through multiple security layers, including anti-spam, web filtering, intrusion prevention, and antivirus services. The company’s security solutions can detect malicious Word documents and the FormBook payload.
To protect themselves, users should exercise caution with email attachments, keep software updated with security patches, and implement multi-layered security solutions that can detect and block such threats before they compromise systems and steal valuable credentials.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
