Analysing Formbook Malware
I was recently alerted to an email containing an attachment named 3D PICTURE DRAWING DESIGN.pdf (SHA-256: 6657978de693874ef0b1d7491ff7ecc4066631d88b1481b19d9913d56356fd81). When opened the pdf tries to trick the user into clicking on an embedded link that leads to hxxps://filebin.net/v84mk8ucvp2m702e/3D_PICTURE_DRAWING.pif
A .pif file is typically used by older versions of Windows (from the DOS era) to store information about how to run DOS programs. However, in modern contexts, .pif files are often used to disguise executables.
Although the link was inaccessible some pivoting in VirusTotal suggested that the .pif file disguised the executable 3D PICTURE DRAWING DESIGN..pdf.exe (SHA-256: d7bd0b2562c16e5ba120a0eab297c5ec6fbe38bda36dfc7d9e34b1b5699438cc). Based on file version information, the original name of this file is cLmx.exe. The exe is flagged by a number of detection engines as behaving like Formbook malware. Formbook is an infostealer malware operating as MaaS (Malware as a service) for the affordable price of around $59 per month.
Static Analysis
cLmx.exe is identified with the signature “Microsoft Visual C# v7.0 / Basic .NET,” indicating that it was developed using Microsoft’s .NET platform, likely in C# or VB.NET, and compiled with .NET Framework 7.0 tools, suggesting it is a managed .NET assembly.
The sample is written to impersonate a legitimate program called English Helper.
Behavioural Analysis
Executing the specimen in my lab generated no useful indicators. Indeed, the process terminated itself likely because it observed it was running in a virtualised environment. Formbook is known to have well established anti-analysis techniques built into it so that explains that.
Code Analysis
At first glance it is very difficult to detect the malicious payload. The malware posseses all the attributes and methods of a language tool.
Checking other analysis out there I saw that a recent Formbook specimen had mapped a resource to memory using Assembly.Load. Looking over my sample I found what looks like something similar within a class named MainPage:
This code is definitely suspicious and could be part of the malware’s payload loading mechanism. Let’s break down why.
-
List<byte> list2;
indicates that list2 is a list of bytes, which could be storing the decrypted or raw binary data of the malicious code. -
typeof(Assembly).InvokeMember("Load, ...)
is particularly telling. It is using reflection to dynamically invoke theAssembly.Load
method. Instead of callingAssembly.Load
directly, it’s usingInvokeMember
withBindingFlags.InvokeMethod
to invoke it dynamically. This is often done to evade static analysis. -
list2.ToArray()
converts theList<byte>
into a byte array, which is then passed toAssembly.Load
. This method loads the byte array as a .NET assembly directly into memory. -
as Assembly
casts the results of the dynamicAssembly.Load
into anAssembly
object, allowing the program to execute code from the loaded assembly.
Anti-Analysis
This sample presents with rigorous anti-analysis techniques. There will be more to come from this blog post once I’ve been able to overcome these barriers.
IOCs
Files
- 3D PICTURE DRAWING DESIGN.pdf - SHA-256: 6657978de693874ef0b1d7491ff7ecc4066631d88b1481b19d9913d56356fd81
- 3D PICTURE DRAWING DESIGN..pdf.exe - SHA-256: d7bd0b2562c16e5ba120a0eab297c5ec6fbe38bda36dfc7d9e34b1b5699438cc
Links
hxxps://filebin.net/v84mk8ucvp2m702e/3D_PICTURE_DRAWING.pif
⚡️ Enjoyed this post? Buy me a coffee… in sats! Tip me via my Lightning address: [email protected]