New Password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware !!

These days, Along with the unforeseen climatic conditions, several unpredictable malware campaigns are also occurring across the connected world. Mostly Offenders are relying on spam mails and the associated malicious Macros, to drop and infect the targeted victims with various other atrocious malware.

Studies shows 95% of successful security attacks created by Human mistakes!!

Security sensitive entities are hardening the controls to their maximum to escape from these types of campaigns or infections. On the other hand, malware authors are taking lot of inventive steps to evade these, so-called ‘hardened security controls’.

That said, Lets jump into a very latest Document malware, which evades all the security controls to infect the targeted machines with Ursnif Spyware.

Do you want a brief before kicking off? There you go..

Three spam mails were spotted spreading, each carrying Microsoft document files (.docx) which were password protected. The mail body contained the passwords to open the protected documents. The three document files did not contain any Macro codes (obviously, .docx files may not be), but the body of the Documents contained three OLE Objects embedded in it with icons mimicking word document files. These embedded objects were unique malicious VBScripts, which acts as a malware dropper. Once the user double clicks any of the Ole VBScript object, the malicious code will drop an atrocious spyware, which is new variant of Ursnif.

One of the three spam mails are shown in the below:

Once the document is opened, a password prompt will pop up before the Document is fully opened. This is a prominent tactic for evading any automated sandboxing technologies, as human intervention is needed to perform the password entry, which is listed in the body of mail.

There you go Sandbox! You cannot go beyond this. Bad boy expects human sense not yours!! 😉

Shall we create a tool to trace the password in the body of mail and feed to password popup while in sandbox? 😉 Please leave a comment if it is out there 🙂

When the password is entered, the document will open and then shows three embedded OLE objects, which imitates three Document files (only Word Icon and name). However, the truth is that all the three objects are unique malicious VBScript.

It is important to find the architecture and working of this embedded VBScript to identify important IOCs. As we discussed earlier, all the VBScripts were similar and hence safely copied this standalone Script and started debugging. The codes were not fully obfuscated but heavily used random variable names to confuse static analysis and heuristics detections.

Immediately when the script is executed, the VBScript will be executed by copying itself to the %temp folder.

My dear Sandbox, did you managed to reach this extend. Now the timer ticks, 250 seconds. You are failed!!

Then the script will call a command shell to start PING to, 250 times redirected to nul. The idea is to sleep for 250 seconds before it start next arguments. This is another technique used by malware to evade the automated malware analysis using Sandboxes.

For malware to trigger its command and control communication, we have to wait for 250 PING wait. Luckily if we try to manually terminate the whole PING process tree, immediately the Malware tries to communicate with its Command and control IP address to download a file. 😉

From the below debug code, We can suspect that the code is trying to download a file “img.jpt” from a remote IP address and checks for the HTTP status code successful connection or not ( 200 OK)

As we suspected, the moment we terminate the PING process the code will be communicating to remote IP addresses to download the files.

All the dynamic analysis is done by emulating the required resources for the malware.

Another Remote IP communication to download a file (for another sample).

Since we are emulating the network communication for malware, it failed to get the actual file and next tries to communicate to another domain to download the same file but with different name and extension : “tmp.pkg” (encrypted file)

Same for another sample:

What happens if both fails and whats the dropped file

If both the communication is failure , the malware itself will drop an encrypted file with “.QdE” (Xorcrypt), extension at : C:\Users\{username}\AppData\Roaming.

Then the malicious macro, on the fly, will decrypt the dropped file into a PE file (executable) in the same destination folder with a “.VIv” extension. The names of these files will be randomly generated (numbers).

Once the executable file is dropped successfully, wscript shell will then invoke the command line for executing the PE file.

Here ends the role of the Documents, which users received via spam mails. Next, the threat will advance to the dropped malware.

Dropped Executable – Ursnif Spyware

Further analysis confirmed that the file which dropped by the document is an infamous atrocious “Ursnif Malware”

  • The {randomnumber}.Vlv malware once executed will copy itself as “adprtext.exe” at “C:\Users\{username}\AppData\Roaming\MICROS~1\adprtext.exe” and executes from there
  • The malware will seek persistence by adding the above path to Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN”
  • Then the spyware will do its spying activity like keylogging, credential harvesting etc and would start exfiltration to remote command and control servers
  • The sample POST (exfiltration traffic) compromised traffic:

This time providing full IOCs , Prevention is better than cure ! 🙂

Indicators of Compromise

Spam Mail Sender

File Hashes – Documents

MD5 : 7B9D6ED35A03810AB9FA4389AAA0BC7D

MD5 : 505E5ABE91B5214D11DEE94E0069A6CD

MD5 : 812129572DAD1887C5C3E4A4B3C8A938

 Two variants of VBscript embedded inside the word document

MD5: 6515B987026A1D68DD5C95269F1F7D6A

MD5: 399DE7366D52937E245235F18EBD8117

Dropped File – Encrypted file


  1. {randomnumber}.QdE
  2. jpt
  3. pkg
  4. kls
  5. ktg

 same MD5 : C95A7F3FDDE60FCE15BFA74ED87B62CE

  Dropped Files



C:\Users\{username}\AppData\Local\Word document.vbs

C:\Users\{username}\AppData\Local\Document Part.vbs

Communicated IP addresses

Communicated URLs

Final Dropped Spyware – Ursnif

Name: {randomnumbers}.VIv

 MD5: 15BAA544D5EFCB1B88AA71A99EEC95D3

  Spyware Copies itself to below location :


DNS query by the Spyware and URLs for POST traffic






 IP addresses communicated by Spyware

Threat Intelligence

The analysis shows one of the IP is tagged under Botnet activity. The IP address “” is seen tagged under “Botnet”. Also another IP address “” contains the same Russian malicious domain which Botnet IP had, which can link as this IP also can be part of this Botnet.

The main IP address of the spyware which we analyzed must be “” which contains most of the domain to which the spyware is sending POST traffic and DNS request.

Analysis shows that this IP is sinkholed by “” a sinkhole project – which itself shows this IP is a zombie IP and part of Botnet.

Also we can see the below intelligence stating this IP has been also reported as Botnet IP:




The spam mails are spreading across the internet, utilizing various tricks and tactics to evade all the security measures in an entity. These malicious documents would drop most of the flavors of malware with ease. In this incident, we saw the Document used two evading techniques such as Password protection and sleeping mechanism, dropping a Spyware and letting it to execute in the victim machine.

No Macro enabling popup, Evaded Sandbox, AV evasion, passed the Mail Gateway. Hmm… Let’s start Security awareness Training for the end users 🙂



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.