End-of-Year PTO: Days Off and Data Exfiltration with Formbook

By: Adam Martin and Nathaniel Sagibanda

The holiday season is a time of joy and relaxation, but it often brings an influx of corporate emails ranging from leave approvals to scheduling paid time off. The Cofense Phishing Defense Center (PDC) has recently intercepted a malicious phishing email masquerading as a legitimate end-of-year leave approval notice. Disguised as a formal HR communication, this email leverages the urgency and importance of year-end leave scheduling in order to trick the recipients into clicking a malicious link. This enables the threat actor to steal sensitive information via FormBook malware.

Figure 1: The contents of the phishing email disguised as an HR notice

As shown in Figure 1, the phishing email had the subject line “Mandatory Leave Notice for all employees” to mimic HR communications with professional language and seasonal relevance. The body claimed the recipient’s leave has been “approved”, included a link (“December 2024 Leave/Vacation Approval Lists, Dates and Duration”) to view the approved dates, and prompted users to get more details by logging into the “Central HR Management System”. While it is a well-crafted email, a few red flags are apparent when taking a closer look. The email was flagged as an EXTERNAL SENDER which is a clear indication that the email did not originate within the company. This is because the sender’s email address did not match the organization’s domain. Upon hovering over the link (as shown in Figure 2), a SendGrid-wrapped URL is revealed, which redirects to a malicious domain hosting malware. Clicking on the wrapped link further redirects to a Discordapp URL (Figure 3), where the malware is hosted and subsequently downloaded.

Figure 2: The embedded malicious link

 Figure 3: Redirected to discordapp URL to download the attachment

Technical Analysis: Static Attributes 

VT Tags from AV Vendors 

Figure 4: VirusTotal detections and file hash for the malware sample

Various antivirus vendor detections for this sample note that it is either a generic AutoIt injector or a FormBook sample. Below is a sample of vendor tags assigned to specific malware family’s composition / attributes. 

• A Variant Of Win32/Injector.Autoit.GQO
• Trojan.Injector.AutoIt
• Trojan:Win32/AutoitInject.HNA!MTB
• Trojan.Win32.FORMBOOK.YXEKUZ

Initial Download 

Once the malicious link is accessed by the victim, a .zip file will be downloaded to the default downloads directory. As shown in Figure 5, a potential victim may think that the .zip file contains a .xls related to a notice for employee PTO for the Christmas Period.

Figure 5: .zip file downloaded to default download directory

However, Figure 6 shows that the .zip file contains an executable file.

Figure 6: When extracted, the .zip file contains an executable file payload

File Identification 

The first step in the analysis of externally downloaded files is identifying the file type. This identification process is pivotal because malicious downloads often claim to be a different file type than they are (i.e. a fake PDF file that is actually an executable). As illustrated below in Figure 7, our mandatory leave notice is an AutoIt compiled executable. AutoIt, like many other legitimate software development and scripting tools, has been used as a method to perform malicious actions by embedding scripts within an otherwise useful framework. In this case, the sample uses AutoIt as a parent process to inject a script into a target process, in this case, Utilman.exe. The final injection target process is then used to run FormBook in memory.

Figure 7: The sample is an AutoIt compiled executable

Import Table

When analyzing the libraries imported by the malware in Figure 8, there is an indication that there will be network traffic with API calls like InternetReadFile and InternetOpenW which is to be expected as FormBook/Xloader uses HTTP for C2 interaction.  

Figure 8: Network API calls imported by the sample

Additionally, various device hooking and input-output monitoring calls such as GetKeyboardLayout, VkKeyScanW, and SetCapture (Figure 9) are imported, indicating that MITRE Technique T1056 (Input Capture) is utilized here. 

Figure 9: Various imported API calls for device hooking and input-output monitoring

Debugger check

The IsDeguggerPresent API call is a staple of anti-analysis techniques, and Formbook is no exception to the rule in using it to prevent analysis. 

• If a debugger is detected after the IsDebuggerPresent call (eax is not 0), the execution jumps to 0x00471CC1.
• This path displays a message boxwith the following details:
  • Caption: Derived from byte_4B28F4
  • Message: "This is a third-party compiled AutoIt script."
  • This serves to obfuscate the malware’s true intent by masquerading as a benign script and preventing analysts from being able to further analyze the sample without disabling the debugger check.
• After showing the message box, the program jumps to 0x004B28F4, where it cleans up and exits.
• If no debugger is detected (eax is 0), execution continues without displaying the message box.

This mechanism disrupts debugging efforts and attempts to prevent the malware from being analyzed. 

Figure 10: The debugger detection function used by the malware to impede analysis

Figure 11: If the malware detects a debugger, it will display a deceptive message and end without running any further payloads

Technical Analysis: Dynamic Actions 

When the FormBook binary is executed, it begins by performing initial reconnaissance and setup tasks, such as unpacking itself, evading detection, and identifying targets for injection. It’ll use explorer.exe to select its desired infection process (in this case svchost.exe), then spawn svchost.exe by leveraging Windows API calls, and finally inject part of its malicious code into it. This step uses svchost.exe as an intermediate or "staging" process because it is a trusted Windows service and unlikely to ring any alarms. This can be seen below in a suspended state. 

Figure 12:  The sample uses svchost.exe as an intermediate process to inject a malicious payload to

• Formbook then spawns UtilMan.exe (or injects code into an already running instance).
• The final stage payload is transferred into UtilMan.exe, which now acts as the primary host for the malicious activity.

Malicious Activity Resides in UtilMan.exe

• All core malicious actions, such as credential harvesting, keylogging, and data exfiltration, are executed from within UtilMan.exe.
• This process inherits the legitimacy of a system process, making it harder for security software to detect.

Utilman.exe strings extracted from memory show Formbook collecting system passwords for later data exfiltration. 

Figure 13 strings extracted from Utilman.exe

Mitre Tactics Employed

Conclusion

This end-of-year-themed phishing email highlights how cybercriminals exploit trust, urgency, and seasonal relevance to infiltrate organizations. While the email appeared legitimate, scrutiny of external sender warnings, suspicious links, and generic formatting exposed its malicious intent. In this case, the attackers intended to deploy Formbook, a dangerous information stealer capable of harvesting credentials, logging keystrokes, and exfiltrating sensitive data. Such malware thrives on unsuspecting victims clicking malicious links or downloading compromised files.

To protect yourself and your organization, it is important to teach employees these best practices:
- Verify email sources: ensure sender domains match official channels. 
- Inspect links before clicking: hover over hyperlinks to confirm legitimacy. 
- Be wary of urgent requests: pause and evaluate emails pushing immediate access.

Conducting regular training to recognize phishing attempts and malware threats like Formbook ensures a secure and worry-free season.

IOCs