Staff member
Malware Hunter
A large SPAM campaign is underway where victims receive an email that pretends to be a requested invoice and contains a password for a password protected encrypted Word document attachment. These password protected word documents contain embedded VBScript files that will download and install the Ursnif keylogger.

When Word documents are password protected, they also become encrypted. Malware distributors are hoping that by sending these encrypted Word documents they will be harder to detect by security software. You can see an example of one of the malicious SPAM emails that was provided to me by Zenexer.


Once started, Ursnif will record your keystrokes, programs you open, files you create, and data you copy into the Windows clipboard and save them into logfiles in the %Temp% folder. These log files will have random file names that end with the .bin extension. For example, a log file could be called ja71.bin. These files are actually archives that can be extracted to see the data that will be sent to a TOR server under the malware developers control.