Xls.Trojan.Laroux-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 ef79607789f7c5a6…

MALICIOUS

Office (OLE)

29.5 KB Created: 1997-12-08 17:44:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 3d75830ca5d1f0d419d0ad8efb47a692 SHA-1: 83bb817fb7c32b3030b5533a9ab0d5977290f889 SHA-256: ef79607789f7c5a65ab93cbcca5245a64d7af037e3df57448910b054f0803460
362 Risk Score

Malware Insights

Xls.Trojan.Laroux-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a malicious Excel 5.0 spreadsheet by multiple heuristics, including critical findings for the 'Xls.Trojan.Laroux-1' signature and the presence of an Auto_Open VBA macro. The extracted VBA macro, named 'laroux', contains code that appears to search for specific data within the spreadsheet and potentially execute further actions, although the full functionality is truncated. The presence of the Auto_Open macro strongly suggests an attempt to automatically execute malicious code upon opening the document, characteristic of a spearphishing attachment.

Heuristics 8

  • ClamAV: Xls.Trojan.Laroux-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Laroux-1
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 18,075 bytes but its declared streams total only 0 bytes — 18,075 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6433 bytes
SHA-256: 6e1f9390fc08fb852aaf365bbfe784420c26a347775f89a180ef0fef6009784e
Detection
ClamAV: Xls.Trojan.Laroux-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "laroux"

Option Base 1

Sub Find_Current_Securities()
Attribute Find_Current_Securities.VB_ProcData.VB_Invoke_Func = " \n14"

'   Created by  :   Andrew Stevenson
'   Created on  :   16-Apr-97

'   Aim
'   To find the maturity date column and extract any rows which have a maturity date
'   greater than todays date

'   ***********************************************************************************************

    Dim Local_Counter As Integer
    Dim Var1 As String
    Dim Var2 As Date
    Dim LastRow As Integer
    Dim CurrentRow As Integer
    Dim Active_Repo_RowCounter As Integer
    Dim var4 As String
    Dim Active_Repos() As Integer

'   ***********************************************************************************************
    'Prevent any screen flashing while the macro runs
    Application.ScreenUpdating = False
    Sheets("report").Select
    'Find the column which has the Maturity date in it
    Range("H5").Select
    'Find the last row with data in it
    ActiveCell.SpecialCells(xlLastCell).Select
    LastRow = ActiveCell.Row
    Range("A1").Select
    
    'Move down the row to the end of the sheet and find any columns with mat date > than today
    For Local_Counter = 5 To LastRow
        Range("H" & Trim(Str(Local_Counter))).Select
        'is it a valid date?
        If IsDate(ActiveCell.Value) Then        'Yes, so record the row number
            If ActiveCell.Value > Now() Then
                Active_Repo_RowCounter = Active_Repo_RowCounter + 1
                ReDim Preserve Active_Repos(Active_Repo_RowCounter) As Integer
                Active_Repos(Active_Repo_RowCounter) = ActiveCell.Row
            End If
        End If
    Next Local_Counter
    
    'Next Section - Copy the active repos to a separate sheet
    For Local_Counter = 1 To UBound(Active_Repos)
        Sheets("report").Select
        CurrentRow = Active_Repos(Local_Counter)
        Rows(Trim(Str(CurrentRow)) & ":" & Trim(Str(CurrentRow))).Select
        Selection.Copy
        Sheets("Export").Select
        Rows(Trim(Str(Local_Counter + 1)) & ":" & Trim(Str(Local_Counter + 1))).Select
        ActiveSheet.Paste
    Next Local_Counter
    Sheets("report").Select
    Range("A5").Select
    Sheets("Export").Select
        
    'Apply the totalling of the Exposure
    For Local_Counter = 2 To 16384
        If Range("T" & Trim(Str(Local_Counter))).Value = "" Then Exit For   'end of records
        Range("U" & Trim(Str(Local_Counter))).Select
        If Range("S" & Trim(Str(Local_Counter))).Value < 0 Then             'we are owed the accrued
            ActiveCell.FormulaR1C1 = "=-(ABS(RC[-2]) + ABS(RC[-1]))"
        Else
            ActiveCell.FormulaR1C1 = "=ABS(RC[-2]) - ABS(RC[-1])"
        End If
    Next Local_Counter
    Range("A1").Select
    
    'Clear out the old exposure report
    Sheets("Exposure").Select
    Cells.Select
    Selection.Delete Shift:=xlUp
    Sheets("Export").Select
    
    
    'Move the data to a separate sheet and create an exposure report - Pivot Table
    ActiveSheet.PivotTableWizard SourceType:=xlDatabase, SourceData:= _
        "Export!R1C1:R20C21", TableDestination:="Exposure!R1C1", TableName:= _
        "PivotTable2"
    ActiveSheet.PivotTables("PivotTable2").AddFields RowFields:= _
        "Counterparty Name"
    ActiveSheet.PivotTables("PivotTable2").PivotFields("Exposure"). _
        Orientation = xlDataField
    'Apply Formatting
    Columns("A:A").Select
    Selection.Font.Bold = True
    Columns("A:A").EntireColumn.AutoFit
    Columns("B:B").Select
    Selection.Style = "Comma"
    Columns("B:B").EntireColumn.AutoFit
    Selection.ColumnWidth = 15.67
    Range("A1").Select
    With Selection.Font
        .Name = "Arial"
        .FontStyle = "Bold"
        .Size = 10
        .Strikethrough = False
        .Superscript = False
        .Subscript = False
        .OutlineFont = False
        .Shadow = False
        .Underline = xlNone
        .ColorIndex = 2
  
... (truncated)
embedded_office_off00002f65.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x2F65 18075 bytes
SHA-256: 5d5ffda4eb4a21fbb0ff1df27ebc793e0f61619299d099d9a257b3c38508adf4
embedded_office_off00005967.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5967 7321 bytes
SHA-256: c360f46e6ced1da2396a6e80822379fc4893a791065a606822c873d259a506cb
embedded_office_off00005a26.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5A26 7130 bytes
SHA-256: c8c940fc45bb17f3c235a5310a7d3a92112b38fdafed3363b17d90a770b928a0
embedded_office_off00005e53.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5E53 6061 bytes
SHA-256: 7466d9e9db8c17962d64152cb3e3cc7379cd10a3c5fe1ce98b9fa28c20d8c69a