In-depth Formbook malware analysis

The malware stores encrypted buffers, “hidden” directly within the text section. The address of each encrypted buffer is retrieved thanks to a trick commonly used by malware. Since a call instruction pushes on the stack the address of the instruction to execute when returning from the callee, a call instruction (0xE8) with an operand of 0x00000000 leads to a jump at the address following the call.

The following ‘pop eax’ instruction can then be used to retrieve the current instruction pointer value, and thus the start of the encrypted buffer, located 2 bytes after:

Source: stormshield.com