Xls.Trojan.Laroux-28 Office (OOXML) malware analysis — malicious · 69dd17b1d1366b6f

MALICIOUS

Office (OOXML)

34.8 KB Created: 2020-01-27 01:21:16 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-10-14

MD5: 6fb87a97ea8671634b7b977d8073022b SHA-1: 3b40484459d72eea3000c7222ba47d71610b273c SHA-256: 69dd17b1d1366b6f434d5a8fd6090b4f328cd10937fef43cfe3f0e3401180780

188 Risk Score

Malware Insights

Xls.Trojan.Laroux-28 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel document contains a VBA macro, specifically an Auto_Open macro, which is a common technique for executing malicious code upon opening. The presence of a hidden worksheet further suggests an attempt to conceal malicious activity. ClamAV signatures identify this as Xls.Trojan.Laroux-28, a known trojan. The VBA script appears to manipulate worksheet visibility and column grouping, likely as part of a larger payload delivery mechanism.

Heuristics 4

ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-28
VBA project inside OOXML medium 1 related finding OOXML_VBA

Document contains a VBA project — VBA macros present
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	6962 bytes
SHA-256: `74d217bd28ed928151a14576e66a2b3ff0d7f6212f9a626703e2a65c9f9f12b2`
Detection ClamAV: Xls.Trojan.Laroux-28 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Module1" Option Explicit '列の表示グループ Private Enum enmColGroupType All = 0 TTOSS = 1 JissekiUnchin = 2 Futai = 3 End Enum Private Enum enmColIndex LogOffTime = 4 'ログオフ時刻 ShigyoCdSeq = 7 '仕業コードSEQ SyaRyoCdSeq = 10 '車両コードSEQ SyainCdSeq = 13 '社員コードSEQ SyainNm = 14 '運転手名 KisoKm = 24 '回送キロ SyuseiJissekiUtn = 38 '修正実施運賃 ColRight = 53 '右端列 colGroupType = 54 End Enum '列の表示グループを切り替える Sub Main() Attribute Main.VB_ProcData.VB_Invoke_Func = "t\n14" Dim colIndex As Integer Dim ws As Worksheet Set ws = ThisWorkbook.Worksheets(1) Dim colGroupType As Integer Dim nextColGroupType As Integer colGroupType = GetColGroupType(ws) Select Case colGroupType Case enmColGroupType.All nextColGroupType = enmColGroupType.TTOSS Case enmColGroupType.TTOSS nextColGroupType = enmColGroupType.JissekiUnchin Case enmColGroupType.JissekiUnchin nextColGroupType = enmColGroupType.Futai Case enmColGroupType.Futai nextColGroupType = enmColGroupType.All End Select For colIndex = 1 To enmColIndex.ColRight Dim colVisible As Boolean colVisible = GetColVisible(nextColGroupType, colIndex) ws.Columns(colIndex).Hidden = Not colVisible Next Call SetColGroupType(ws, nextColGroupType) End Sub Private Sub SetColGroupType(ByVal ws As Worksheet, ByVal colGroupType As Integer) ws.Cells(1, enmColIndex.colGroupType).Value = colGroupType End Sub Private Function GetColGroupType(ByVal ws As Worksheet) As Integer Dim pColGroupType As String pColGroupType = ws.Cells(1, enmColIndex.colGroupType).Value If IsNumeric(pColGroupType) Then GetColGroupType = CInt(pColGroupType) Else GetColGroupType = enmColGroupType.All End If End Function Private Function GetColVisible(ByVal vpColGroupType As Integer, ByVal vpColIndex As Integer) As Boolean Select Case vpColIndex Case enmColIndex.ShigyoCdSeq, enmColIndex.SyaRyoCdSeq, enmColIndex.SyainCdSeq 'Seq列は非表示 GetColVisible = False Exit Function End Select Select Case vpColGroupType Case enmColGroupType.All GetColVisible = True Case enmColGroupType.TTOSS If vpColIndex <= enmColIndex.SyainNm Then '運転手名 GetColVisible = True Else GetColVisible = False End If Case enmColGroupType.JissekiUnchin If vpColIndex <= enmColIndex.LogOffTime Then 'ログオフ時刻 GetColVisible = False ElseIf vpColIndex <= enmColIndex.SyainNm Then '運転手名 GetColVisible = True ElseIf vpColIndex <= enmColIndex.KisoKm Then '回送キロ GetColVisible = False ElseIf vpColIndex <= enmColIndex.SyuseiJissekiUtn Then '修正実績運賃 GetColVisible = True Else GetColVisible = False End If Case enmColGroupType.Futai If vpColIndex <= enmColIndex.LogOffTime Then 'ログオフ時刻 GetColVisible = False ElseIf vpColIndex <= enmColIndex.SyainNm Then '運転手名 GetColVisible = True ElseIf vpColIndex <= enmColIndex.SyuseiJissekiUtn Then '修正実績運賃 GetColVisible = False Else GetColVisible = True End If End Select End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Pr ... (truncated)
`vbaProject_00.bin`	vba-project	OOXML VBA project: xl/vbaProject.bin	31232 bytes
SHA-256: `9e5bf5951edc169e7f34df3c5d9c95e50aa7de4aeb54849034197203c3ef9dad`
Detection ClamAV: Xls.Trojan.Laroux-28 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.