Netskope Threat Research Labs has observed the URSNIF data theft malware being shared among Microsoft OneDrive users. The malware was observed propagating via a malicious Microsoft Word macro which tricks the end user into opening the file and, if macros are disabled, enabling them. The Word macro is heavily obfuscated, making it difficult for traditional antivirus products to detect it. Additionally, a collection of anti-sandbox techniques are employed in attempt to subvert sandboxes and other run-time detection techniques.
Netskope Active Threat Protection detects the malicious Word file as “W97M.Downloadr.DVS” and the resulting URSNIF data theft malware as “Backdoor.Generckd.3415082”.
Analysis of Malicious Word Document
While analyzing this malicious Word document, we found a fake error trick used to lure the victim as well as several anti-sandbox techniques used to bypass automated sandboxes. Once the document file is opened, a very clever but illegitimate error message is shown to fool the victim. The error message looks like a genuine Word error as shown in Figure 1.

Fig