MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
This Excel file contains a VBA macro, specifically an Auto_Open subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to save itself as 'PLDT.XLS' in the startup path, indicating an attempt to establish persistence. The presence of 'Laroux' markers and ClamAV detections strongly suggest it belongs to the Laroux family of malware.
Heuristics 5
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-28
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas19e37346b4d089f01f7e6763fdb731f3d3c581d663d5d11fdf108a81cb5c5d58 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2018 bytes |
|
Detection
ClamAV:
Xls.Trojan.Laroux-28
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.