Request a Demo
Rewterz
Hackers Abuse Microsoft 365 OAuth Workflows to Launch Attacks on Organizations
April 23, 2025
Rewterz
WinZip Zero-Day Enables Stealth Malware Attacks on Windows
April 23, 2025

Hackers Weaponize Word Documents Using 17-Year-Old Vulnerability – Active IOCs

Severity

High

Analysis Summary

Security researchers have uncovered a sophisticated phishing campaign that uses weaponized Microsoft Word documents to deploy FormBook, a dangerous information-stealing malware. These malicious emails are disguised as sales orders and include attachments that exploit CVE-2017-11882, a 17-year-old vulnerability in Microsoft Office’s Equation Editor.

According to the Researcher, once opened, the infected documents execute remote code without any user interaction, enabling the seamless deployment of the malware. This vulnerability, though old, remains a potent tool for threat actors due to its widespread presence in unpatched systems.

Upon execution, the malicious document extracts a disguised 64-bit DLL file into the system’s temporary folder. Exploiting the Equation Editor flaw, it then runs the DLL, establishes persistence by modifying the auto-run registry, and downloads an encrypted payload masked as a PNG image. The malware uses advanced process hollowing to inject itself into legitimate Windows processes, effectively evading traditional security detection mechanisms. This process ensures FormBook remains undetected while performing its malicious activities in the background.

FormBook itself is a highly effective data thief, capable of extracting stored credentials from popular software, logging keystrokes, capturing screenshots, and collecting clipboard data. This extensive data harvesting gives attackers full access to the victim's digital footprint and can lead to significant breaches of privacy and security. The use of Microsoft Office documents as an attack vector is part of a broader trend, with multiple campaigns identified over recent years, such as the use of Word’s subDoc feature to extract NTLM hashes and a newer malware variant named “CarnavalHeist” targeting Brazilian users through Portuguese-language phishing lures.

To stay protected, users are advised to remain vigilant against unexpected email attachments, especially Word documents, and to ensure all software is up-to-date with the latest security patches. Employing a multi-layered security strategy, including anti-spam, web filtering, intrusion prevention, and antivirus, can significantly reduce the risk of compromise. Researcher assures that its customers benefit from these protections, which can detect both the malicious documents and the embedded FormBook payload.

Impact

  • Sensitive Information Theft
  • Code Execution
  • Unauthorize Access

Indicators of Compromise

CVE

  • CVE-2017-11882

Domain Name

  • www2.0zz0.com

MD5

  • 23d94285fbcaa4d17bbedf04fd6f77fe

  • 19ac38b2e44d149859664387297f21c3

  • 0dbbaea650ca1dc68afb29e4eaaeb650

  • c42a8bb2ee2e069d8ad7562090112f44

SHA-256

  • 93cf566c0997d5dcd1129384420e4ce59764bd86fdabaaa8b74caf5318ba9184

  • 7c66e3156bbe88ec56294cd2ca15416dd2b18432deedc024116ea8fbb226d23b

  • 2e73b32d2180fd06f5142f68e741da1cff1c5e96387cebd489ad78de18840a56

  • 6ac778712dffce48b51850ac34a846da357be07328b00d0b629ec9b2f1c37ece

SHA1

  • e331eb48551c1bc220782e072be72308b99157da

  • 4b8dd163f27e2e404009bcf7a286ca06c7b4fed7

  • caf3008711fdde546f292e2a439472f3dd36e372

  • 1fb2c7fa6cea60979a7aea194924445bf2c77925

URL

  • https://www2.0zz0.com/2025/02/02/10/709869215.png

Affected Vendors

  • Microsoft

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Regularly apply security patches to Microsoft Office and Windows systems, especially to address known vulnerabilities like CVE-2017-11882.
  • Avoid opening unexpected or suspicious email attachments, particularly Microsoft Word documents from unknown sources.
  • Use a combination of anti-spam, web filtering, intrusion prevention systems (IPS), and antivirus software to detect and block malicious files.
  • Use endpoint detection and response (EDR) tools to monitor unusual behaviors like process hollowing or DLL injection.
  • If not required, disable or remove the Microsoft Equation Editor to reduce the attack surface.
  • Perform vulnerability scans and threat assessments to identify and remediate potential security gaps.
  • Use email gateways with sandboxing capabilities to analyze attachments before they reach users’ inboxes.
  • Conduct training to help employees recognize phishing attempts and social engineering tactics.
  • Restrict user permissions to limit the impact of malware if a system is compromised.
  • Keep detailed logs of system activity and monitor for signs of exploitation or data exfiltration.