December 8, 2023

Researchers from  Malwarebytes Threat Intelligence Team found has a Formbook campaign (information stealer) targeting oil and gas companies. The campaign was delivered by a targeted email that contained two attachments, one is a pdf file and the other an Excel document.

The email pretends to be from Saudi Aramco, a Saudi Arabian public petroleum and natural gas company, and one of the largest companies in the world by revenue. The email asks the receiver to provide an offer for refinery renovations that requires a swift response.


It read:

Dear Sir,

Warm Greetings From Saudi Aramco.

We request you to furnish your best, complete, exclusive and competitive techno-commercial offer to our esteemed company for the supply of below mentioned item(s) on or before 10-March-2022.

Your offer should conform to all the specifications (FIT, FORM and FUNCTION) mentioned in our requisition including the following information:

1. Manufacturer’s Name and Country of Origin.

2. Latest Delivery Date and Shipment Terms.

3. Estimated Weight / Volume or Dimensions of the quoted item(s) / Final Package.

4. Cost of attestation of documents from chamber of commerce shall be borne by the Supplier.

5. Warranty Period.

6. Product Specifications / Data Sheet, Drawings, and Catalog (if available)

7. Payment Terms

8.Partial Order acceptable or not acceptable.

9. Offer Validity: 90 Days.

END USER: SEC (Saudi Arabian Oil Company)

End Destination : Saudi Arabia

Please acknowledge the email along with the attachment (download below) and confirm your willingness to quote

Best regards,

The attached pdf file contained an embedded Excel object. The embedded object downloaded a remote template that exploits CVE-2017-11882 to download and execute the FormBook malware. This vulnerability exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 and allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. If the current user is logged on with administrative user rights, this means an attacker could take control of the affected system.


Indicators of Compromise


  • c421a4309d8fe9fa9bdfe1bde69ccce3
  • f260e184fb067d3b646af3574e901c05
  • da4fcf9512dbdf5fa8a6dc88a646100e
  • 7f5da76f29cf8238ed1f944b1d0e587a
  • bb65278dd77988f8a7bad219b524384c

Malicious Domains


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.