MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as a malicious Excel 5 document by multiple critical heuristics, including specific detection of the Laroux macro virus (Win.Trojan.Laroux-11). Although VBA extraction failed due to an unsupported format, the presence of Laroux markers and ClamAV detection strongly indicates malicious intent. The document body contains what appears to be travel expense data, likely a lure to disguise the malicious macro.
Heuristics 5
-
ClamAV: Win.Trojan.Laroux-11 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Laroux-11
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_off0000086a.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x86A | 29078 bytes |
SHA-256: c4a77b16bc0e1a1ef016705c0998355e53bdd93692fd1063494b9cc94541bb1e |
|||
|
Detection
ClamAV:
Win.Trojan.Laroux-11
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.