Weaponized Word Documents Used by Hackers to Target Windows Users and Steal Credentials

A cybercrime campaign recently uncovered by Fortinet’s FortiGuard Labs demonstrates that weaponized Microsoft Word documents remain a formidable tool for attackers targeting Windows users’ credentials.

The observed operation delivers a new variant of the FormBook malware through a multistage attack chain that leverages the long-standing CVE-2017-11882 vulnerability within Microsoft Equation Editor.

This technical approach enables adversaries to deploy fileless malware, maintain persistence, and execute sophisticated process injection techniques while exfiltrating sensitive data from compromised endpoints.

Phishing Email and Exploit Overview

The campaign begins with a targeted phishing email that impersonates a sales order, coercing recipients to open a malicious Word document attachment order0087.docx.

The document utilizes the Office Open XML (OOXML) format and is delivered as a ZIP archive.

When opened, the document’s XML instructs Microsoft Word to automatically fetch and parse an external, obfuscated RTF file named “Algeria.rtf.”

Within this file, two binary objects are embedded: a 64-bit DLL (“AdobeID.pdf”) and an OLE object containing specially crafted equation data designed to exploit CVE-2017-11882.

Once the RTF is processed, the exploit triggers a remote code execution vector in EQNEDT32.EXE via a buffer overflow and hijacked return address, causing the Windows API WinExec() to execute the DLL with malicious parameters.

This DLL thus acts as a loader, executing under rundll32.exe and establishing persistence by writing an auto-run registry key under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Payload Delivery and Fileless Execution

The initial DLL establishes a foothold by copying itself into a covert “Templates” directory under AppData\Roaming, further ensuring execution at startup.

It then retrieves the next payload a FormBook malware executable disguised as a PNG image from a hardcoded external URL using Windows HTTP APIs.

The downloaded file is not a genuine image but rather an encrypted binary. Decryption is performed in-memory using a key derived from a hardcoded string (“H1OX2WsqMLPKvGkQ”), representing a classic fileless approach that leaves minimal forensic traces on disk.

To maximize stealth, this FormBook variant injects itself into a legitimate Windows process, ImagingDevices.exe (from Windows Photo Viewer), through process hollowing.

The malware employs native Windows APIs such as NtCreateSection and NtMapViewOfSection to map the decrypted binary into the address space of a newly spawned, suspended process.

It manipulates the thread’s CPU register context, specifically targeting EAX and EBX, to redirect execution to the malware entry point upon resumption.

Once operational, FormBook’s capabilities include exfiltrating stored credentials, capturing keystrokes, taking screenshots, and siphoning clipboard data, all of which are sent to external command-and-control servers.

According to the Report, The malware variant employs anti-analysis strategies, leveraging selective register modification and advanced injection techniques to evade security monitoring and bypass endpoint detection.

Fortinet confirms that customers using up-to-date FortiGuard security services are protected: the malicious URL is blocked, phishing signatures are in place, and antivirus detection covers all relevant artifacts (Word document, RTF, DLL, and decrypted payload).

However, the campaign highlights ongoing risks from unpatched legacy vulnerabilities and urges organizations to practice user security awareness, ensure software is patched, and maintain defense-in-depth strategies to counter such fileless threats.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates