Xls.Trojan.Laroux-21 Office (OLE) / .XLS malware analysis — malicious · 733a7d34e51983c0

MALICIOUS

Office (OLE) / .XLS

20.5 KB Created: 1998-11-06 09:29:16 Authoring application: Microsoft Excel

MD5: b556e6b71c8de93bb4901e88793e85bb SHA-1: 37a0e39090f3c936e9acb0300e8c3cf4960567a8 SHA-256: 733a7d34e51983c0b3d2191dfea523951d9faa41e3d65aa0797a4913ec5db5b8

180 Risk Score

Malware Insights

Xls.Trojan.Laroux-21 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This XLS file contains a VBA macro with an Auto_Open subroutine, which is a common technique for executing malicious code upon opening. The script attempts to save a copy of itself as 'jokefile.xls' in the Application.StartupPath, indicating an attempt at persistence. The ClamAV detection confirms this is a known malicious variant.

Heuristics 4

ClamAV: Xls.Trojan.Laroux-21 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Trojan.Laroux-21
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f7fdbe7aaa1266e7b277238d79b60058042ecceafe9af92b551dd17daac31bbc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1356 bytes
Detection ClamAV: Xls.Trojan.Laroux-21 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.