VBEtaly: An Italian Ursnif MalSpam Campaign

August 16, 2018


Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.

The attackers also seem to be operating from well-known Italian web email services such as:,, and more.

The infection chain is as described below:

The decrypted VBS code is as follows:

VBS Code Example

The CMD command:

The fake certificate:


  • pagamentofattura\.com/ntu
  • pagamentofattura\.com/nt.txt (Fake certificate)
  • 81ced08079f3d28f458ca9cdaf64249c (VBE)
  • beb5552932bfe23215c2ca1248f58184 (PowerShell)
  • 2d4092d34a5d1c864becbca80353fb95 (Decoded exe notepad+.exe)
  • File name: Notepad+.exe





  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks