Ursnif Office (OOXML) / .XLSM malware analysis — malicious · e4b2d132f1a73e6c

MALICIOUS

Office (OOXML) / .XLSM

254.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300

MD5: 2febe82cc4a24d345deae0ca25fe461c SHA-1: 3a2ab3ab67da159c576e1a6e7c382794970f46b4 SHA-256: e4b2d132f1a73e6cea64b32351c288a535dfa0fabe75d5d599ddee7e0ea58c97

100 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK

T1218 System Binary Proxy Execution T1218.010 System Binary Proxy Execution: Regsvr32

The file is an XLSM document containing obfuscated text that, when processed, reveals a command to execute a DLL from a remote URL using regsvr32. This is a common technique for Ursnif malware to download and execute a second-stage payload. The ClamAV detection further supports the Ursnif family attribution.

Heuristics 3

ClamAV: Doc.Dropper.UrsnifIT1220-9803735-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.UrsnifIT1220-9803735-0
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://premiumstatics.co/con3cti0n.dll

Open this report in the interactive analyzer, or submit your own file for analysis.