MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains VBA macros, specifically an Auto_Open macro, and is identified by ClamAV as Xls.Trojan.Laroux-28. The macro code manipulates data across different worksheets, suggesting an attempt to obfuscate malicious activity or prepare for a secondary payload. The presence of the 'laroux' marker and Auto_Open macro strongly indicates a known macro-virus family.
Heuristics 4
-
ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-28
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10137 bytes |
SHA-256: a4aeab6ece21db738459a919112a64f1105f04cdc1f841f3f45d04c31625a653 |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-28
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub TUDOR()
Attribute TUDOR.VB_Description = "Macro recorded 11/17/98 by nano"
Attribute TUDOR.VB_ProcData.VB_Invoke_Func = "U\n14"
'
' TUDOR Macro
' Macro recorded 11/17/98 by nano
'
' Keyboard Shortcut: Ctrl+Shift+U
'
Dim CONTOR, DATAINIT, DATACITITA, CONTOR1, SUM
Worksheets("realcz").Range("A1:L10000").Value = ""
Sheets("realczi").Select
Columns("A:L").Select
Selection.Copy
Sheets("realcz").Select
Range("A1").Select
ActiveSheet.Paste
Range("A1").Select
Application.CutCopyMode = False
Selection.Sort Key1:=Range("B2"), Order1:=xlAscending, Key2:=Range("A2") _
, Order2:=xlAscending, Header:=xlGuess, OrderCustom:=1, MatchCase:= _
False, Orientation:=xlTopToBottom
DATAINIT = Worksheets("REALCZ").Cells(2, 2).Value
DATACITITA = Worksheets("REALCZ").Cells(2, 2).Value
Worksheets("LISTARE").Range("A5:K200").Value = ""
Worksheets("LISTARE").Range("A5:K200").Borders.LineStyle = xlLineStyleNone
SUM = 0
SUM1 = 0
SUM2 = 0
SUM3 = 0
SUM4 = 0
SUM5 = 0
SUM6 = 0
SUM7 = 0
SUM8 = 0
SUM9 = 0
CONTOR = 0
CONTOR1 = 0
While CONTOR <= 800
Worksheets("LISTARE").Cells(1, 1).Value = CONTOR + 2
If Trim(DATACITITA) = Trim(DATAINIT) Then
SUM = SUM + Worksheets("REALCZ").Cells(CONTOR + 2, 6).Value
SUM1 = SUM1 + Worksheets("REALCZ").Cells(CONTOR + 2, 11).Value
SUM2 = SUM2 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "ZM" Then SUM3 = SUM3 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "APC" Then SUM4 = SUM4 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "CB" Then SUM5 = SUM5 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "CS" Then SUM6 = SUM6 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "SKP" Then SUM7 = SUM7 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "SL" Then SUM8 = SUM8 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 10).Value) = "BL" Then SUM9 = SUM9 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
'Select Case LINIE
'Case LINIE = SKP
'SUM3 = SUM3 + 1
'End Select
'If Trim(LINIE) = "SKP" Then
'SUM3 = SUM3 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
'
'End If
Else
CONTOR1 = CONTOR1 + 1
Worksheets("LISTARE").Cells(CONTOR1 + 4, 1).Value = Worksheets("REALCZ").Cells(CONTOR + 1, 1).Value
Worksheets("LISTARE").Cells(CONTOR1 + 4, 2).Value = Worksheets("REALCZ").Cells(CONTOR + 1, 2).Value
Worksheets("LISTARE").Cells(CONTOR1 + 4, 3).Value = SUM
Worksheets("LISTARE").Cells(CONTOR1 + 4, 4).Value = SUM2
If SUM * 1000 - SUM2 >= SUM * 1000 / 5 Then Worksheets("LISTARE").Cells(CONTOR1 + 4, 5).Value = SUM2 - SUM * 1000
Worksheets("LISTARE").Cells(CONTOR1 + 4, 6).Value = SUM1
Worksheets("LISTARE").Cells(CONTOR1 + 4, 7).Value = SUM3
Worksheets("LISTARE").Cells(CONTOR1 + 4, 8).Value = SUM4
Worksheets("LISTARE").Cells(CONTOR1 + 4, 9).Value = SUM8 + SUM7 + SUM6
Worksheets("LISTARE").Cells(CONTOR1 + 4, 10).Value = SUM9
Worksheets("LISTARE").Cells(CONTOR1 + 4, 11).Value = SUM3 + SUM4 + SUM6 + SUM7 + SUM8
SUM = 0
SUM1 = 0
SUM2 = 0
SUM3 = 0
SUM4 = 0
SUM5 = 0
SUM6 = 0
SUM7 = 0
SUM8 = 0
SUM9 = 0
DATAINIT = Worksheets("REALCZ").Cells(CONTOR + 2, 2).Value
SUM = SUM + Worksheets("REALCZ").Cells(CONTOR + 2, 6).Value
SUM1 = SUM1 + Worksheets("REALCZ").Cells(CONTOR + 2, 11).Value
SUM2 = SUM2 + Worksheets("REALCZ").Cells(CONTOR + 2, 8).Value
If Trim(Worksheets("REALCZ").Cells(CONTOR + 2, 9).Value) = "ZM" Then SUM3 = SUM3 + Workshee
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.