PDF campaign distributing Ursnif through malicious VBS
SonicWall RTDMI engine detected a number of PDF files containing link to malicious archive file. The non-existence of this malicious file at the time of detection in popular malware search portals like the VirusTotal and the Reversing Labs indicates the effectiveness of the RTDMI engine.
Fig-1 VirusTotal results for the PDF file
PDF file are being distributed to victims, disguised as a document from Australian Organizations like Indigenous Business Australia etc. To deceive victims, PDF file is made to look as realistic as possible by having misleading text and icons related to the organization whose users would be targeted. The document file displays an icon showing the victim that a document file would be downloaded on clicking the icon, as shown in the images below. Rather an archive containing malicious VBScript is downloaded from “hxxp://kruanchan.com/00198728883.zip”.
Fig-2 Snapshots of PDF files.
At the time of analysis, both the archive and the malicious VBScript have detection from a handful of AV Vendors as could be seen below:
Fig-3 VirusTotal results for the downloaded archive file
Fig-4 VirusTotal results for the VBS script file
To hinder analysis, the VBScript is highly obfuscated as shown below:
Fig-5: Obfuscated VBScript code
Fig-6 Code of VBScript after deobfuscation
It could be seen above, the script first creates an Internet shortcut file named “Google.url” in the %TEMP% directory, having ‘www.google.com’ as the target link. Then it tries to download malicious content from “hxxp://news.pompeox.org/”, save it in the %TEMP% folder as “ie.exe”, finally executes the downloaded file. The downloaded file belongs to Ursnif malware family.
Indicators of Compromise:
Fig-7 Snapshot of SMASH detection Report