Xls.Trojan.Laroux-28 Office (OLE) / .XLS malware analysis — malicious · 6baef40898fed702

MALICIOUS

Office (OLE) / .XLS

352.5 KB Created: 2004-11-03 15:43:09 Authoring application: Microsoft Excel

MD5: 222bd5a9098d0822aba604cb898be322 SHA-1: aa53a0886eba4153963f30ac54227db02e868b3d SHA-256: 6baef40898fed7020fc079f1842922f60a0c7def96b1eacd395d03066378064e

250 Risk Score

Malware Insights

Xls.Trojan.Laroux-28 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Excel file contains a critical 'Laroux' macro virus marker and an Auto_Open macro, indicating it is designed to execute malicious VBA code upon opening. The 'SE_INVOICE_LURE' heuristic and the document body content suggest a phishing attempt related to invoices or payments. The VBA script attempts to save a file named 'PLDT.XLS' in the startup path, which is a common technique for establishing persistence or downloading additional payloads.

Heuristics 7

Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-28
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d7bf2f91b353bf5927efeaa76fe4f5c61a829bc6c713bdb600e6d42600339b8f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2334 bytes
Detection ClamAV: Xls.Trojan.Laroux-28 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.