Ursnif is being distributed using Reply-Chain attacks and password protected .zip files across multiple clients. Inside of the .zip files will be documents containing macros which execute and reach out to a Ursnif distribution server to download the payload.
The Reply-Chain attacks are carried out by infecting one victim, accessing their emails, locating an ongoing email chain, and then injecting their malicious file into the email chain. This is very effective, because it appears to come from a trusted source.
Additionally, Ursnif demonstrates some fileless capabilities. It installs itself in a Registry Key which will contain powerscript/mshta commands in order to pull down and re-execute itself. As everything else is done in memory, the file is not resident on the HDD, but instead exists in the Registry.