PDF campaign distributing Ursnif through malicious VBS


SonicWall RTDMI engine detected a number of PDF files containing link to malicious archive file. The non-existence of this malicious file at the time of detection in popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.

Fig-1 VirusTotal results for the PDF file



PDF file are being distributed to victims, disguised as a document from Australian Organizations like Indigenous Business Australia etc. To deceive victims, PDF file is made to look as realistic as possible by having misleading text and icons related to the organization whose users would be targeted. The document file displays an icon showing the victim that a document file would be downloaded on clicking the icon, as shown in the images below. Rather an archive containing malicious VBScript is downloaded from “hxxp://kruanchan.com/00198728883.zip”.

Fig-2 Snapshots of PDF files.

At the time of analysis, both the archive and the malicious VBScript have detection from a handful of AV Vendors as could be seen below:

Fig-3 VirusTotal results for the downloaded archive file

Fig-4 VirusTotal results for the VBS script file

To hinder analysis, the VBScript is highly obfuscated as shown below:

Fig-5: Obfuscated VBScript code

Fig-6 Code of VBScript after deobfuscation

It could be seen above, the script first creates an Internet shortcut file named “Google.url” in the %TEMP% directory, having ‘www.google.com’ as the target link. Then it tries to download malicious content from “hxxp://news.pompeox.org/”, save it in the %TEMP% folder as “ie.exe”, finally executes the downloaded file. The downloaded file belongs to Ursnif malware family.

Indicators of Compromise:









Archive: ab74a5181b552055621e1abbd0336a1d7f110360db20ab8e51f97a332d4024e3

VBS: 554da6d32b3226bfe058fa545be80dc06895cca33843bf618c7c65a5e14d47b4

Fig-7 Snapshot of SMASH detection Report

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.