Office (OLE) / .EXE malware analysis — malicious · 00791322ee703d70

MALICIOUS

Office (OLE) / .EXE

43.0 KB Created: 1980-01-04 13:50:03 Authoring application: Microsoft Excel

MD5: f300689ac2a347e88f4581dfefbcd526 SHA-1: 33058e7093195870552a722306fae1f1f7d115a5 SHA-256: 00791322ee703d70eff516d567e0f47ef79181662d42d7c01cd3ddb4ca8a6181

180 Risk Score

Malware Insights

MITRE ATT&CK

T1547.001 Registry Run Keys / Startup Folder T1547 Boot or Logon Autostart Execution T1059.005 Visual Basic

The file is identified as a variant of the Laroux macro virus, a known threat. The VBA script within the file, specifically the 'auto_open' subroutine, is designed to execute automatically when the workbook is opened. It attempts to save a copy of itself as 'SIEMENS.XLS' in the Excel startup path, indicating a persistence mechanism. The script also schedules further execution of a routine named 'MassageVirus' at various times.

Heuristics 4

Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
ClamAV: Xls.Trojan.Laroux-33 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-33
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9afdef5d3f58a3bfb87200ecfd8c58ec2c397f21e74cf9e1c782c93e73dfb137`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.