Ursnif Office (OOXML) / .XLSM malware analysis — malicious · 7b0ead822b72790f

MALICIOUS

Office (OOXML) / .XLSM

174.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300

MD5: 8378548448a812063c77b9e547345935 SHA-1: 77ea7c266f3824d4aaf2dc074f1fb99c839109b1 SHA-256: 7b0ead822b72790f5cbec7f8095bfa17813a2bb3a825639cf758fcbeda59ad61

100 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK

T1218.010 System Binary Proxy Execution: Regsvr32 T1059.001 Command and Scripting Interpreter: PowerShell

The file is detected as Ursnif by ClamAV. Static analysis reveals a command embedded in the document body that uses regsvr32 to download and execute a DLL from the URL 'http://premiumstat.co/con3cti0n.dll'. This indicates the document's purpose is to act as a dropper for a malicious payload.

Heuristics 3

ClamAV: Doc.Dropper.UrsnifIT1220-9803735-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.UrsnifIT1220-9803735-0
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://premiumstat.co/con3cti0n.dll

Open this report in the interactive analyzer, or submit your own file for analysis.