VERY IMPORTANT

FortiGuard Labs captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. This blog is part of a two part series. In the first part Fortiguard demonstrates all all their findings, including but not limited to how the malicious VBA code is executed in the PowerPoint file; how the FormBook payload file is downloaded by the PowerPoint file; as well as how the FormBook main file (module) is finally extracted from a .Net module. The second part of the series will look at what the FormBook malware does once loaded, and in particular, the new functions and features in this latest variant.