Detection Content: Formbook Dropped Through Fake PDF (Sysmon Behavior)

The Covid19 outbreak has revealed a number of blind sides of cybersecurity. We do our best to keep you in the picture of the latest trends on our Weekly Talks, webinars, relevant content Digests. However, human curiosity in the flood of information may be a weak spot. FormBook, the infostealer known since 2016, has been actively distributed via email campaign delivering a PDF file with Covid19 related information. The FormBook data stealer lacks some features of a full-fledged banking malware, but still can make screenshots, monitor clipboard, grab passwords from email clients and browsers as well as have a clear view of the victim’s network requests. Receiving commands from the Command and Control server, FormBook gains command of the victim machine, including launching commands via ShellExecute, clearing browser history, rebooting the machine, and remoting bot from the host system.

In the recent campaign, the email, the most often viewed via browser, pretends to contain the up-to-date information about the Covid19 outbreak, but actually delivers the GuLoader which further installs the FormBook trojan.


The Formbook Dropped Through Fake PDF (Sysmon Behavior) rule by Lee Archinal, active participant of Threat Bounty Developer program, helps to spot the FormBook activity:


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint



Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Indicator Removal on Host (T1070), Modify Registry (T1112)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts