Malware Insights
The file is identified as a malicious Excel 5.0 spreadsheet by multiple heuristics, including critical findings for the 'Xls.Trojan.Laroux-1' signature and the presence of an Auto_Open VBA macro. The extracted VBA macro, named 'laroux', contains code that appears to search for specific data within the spreadsheet and potentially execute further actions, although the full functionality is truncated. The presence of the Auto_Open macro strongly suggests an attempt to automatically execute malicious code upon opening the document, characteristic of a spearphishing attachment.
Heuristics 8
-
ClamAV: Xls.Trojan.Laroux-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Laroux-1
-
Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUSLegacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 18,075 bytes but its declared streams total only 0 bytes — 18,075 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6433 bytes |
SHA-256: 6e1f9390fc08fb852aaf365bbfe784420c26a347775f89a180ef0fef6009784e |
|||
|
Detection
ClamAV:
Xls.Trojan.Laroux-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "laroux"
Option Base 1
Sub Find_Current_Securities()
Attribute Find_Current_Securities.VB_ProcData.VB_Invoke_Func = " \n14"
' Created by : Andrew Stevenson
' Created on : 16-Apr-97
' Aim
' To find the maturity date column and extract any rows which have a maturity date
' greater than todays date
' ***********************************************************************************************
Dim Local_Counter As Integer
Dim Var1 As String
Dim Var2 As Date
Dim LastRow As Integer
Dim CurrentRow As Integer
Dim Active_Repo_RowCounter As Integer
Dim var4 As String
Dim Active_Repos() As Integer
' ***********************************************************************************************
'Prevent any screen flashing while the macro runs
Application.ScreenUpdating = False
Sheets("report").Select
'Find the column which has the Maturity date in it
Range("H5").Select
'Find the last row with data in it
ActiveCell.SpecialCells(xlLastCell).Select
LastRow = ActiveCell.Row
Range("A1").Select
'Move down the row to the end of the sheet and find any columns with mat date > than today
For Local_Counter = 5 To LastRow
Range("H" & Trim(Str(Local_Counter))).Select
'is it a valid date?
If IsDate(ActiveCell.Value) Then 'Yes, so record the row number
If ActiveCell.Value > Now() Then
Active_Repo_RowCounter = Active_Repo_RowCounter + 1
ReDim Preserve Active_Repos(Active_Repo_RowCounter) As Integer
Active_Repos(Active_Repo_RowCounter) = ActiveCell.Row
End If
End If
Next Local_Counter
'Next Section - Copy the active repos to a separate sheet
For Local_Counter = 1 To UBound(Active_Repos)
Sheets("report").Select
CurrentRow = Active_Repos(Local_Counter)
Rows(Trim(Str(CurrentRow)) & ":" & Trim(Str(CurrentRow))).Select
Selection.Copy
Sheets("Export").Select
Rows(Trim(Str(Local_Counter + 1)) & ":" & Trim(Str(Local_Counter + 1))).Select
ActiveSheet.Paste
Next Local_Counter
Sheets("report").Select
Range("A5").Select
Sheets("Export").Select
'Apply the totalling of the Exposure
For Local_Counter = 2 To 16384
If Range("T" & Trim(Str(Local_Counter))).Value = "" Then Exit For 'end of records
Range("U" & Trim(Str(Local_Counter))).Select
If Range("S" & Trim(Str(Local_Counter))).Value < 0 Then 'we are owed the accrued
ActiveCell.FormulaR1C1 = "=-(ABS(RC[-2]) + ABS(RC[-1]))"
Else
ActiveCell.FormulaR1C1 = "=ABS(RC[-2]) - ABS(RC[-1])"
End If
Next Local_Counter
Range("A1").Select
'Clear out the old exposure report
Sheets("Exposure").Select
Cells.Select
Selection.Delete Shift:=xlUp
Sheets("Export").Select
'Move the data to a separate sheet and create an exposure report - Pivot Table
ActiveSheet.PivotTableWizard SourceType:=xlDatabase, SourceData:= _
"Export!R1C1:R20C21", TableDestination:="Exposure!R1C1", TableName:= _
"PivotTable2"
ActiveSheet.PivotTables("PivotTable2").AddFields RowFields:= _
"Counterparty Name"
ActiveSheet.PivotTables("PivotTable2").PivotFields("Exposure"). _
Orientation = xlDataField
'Apply Formatting
Columns("A:A").Select
Selection.Font.Bold = True
Columns("A:A").EntireColumn.AutoFit
Columns("B:B").Select
Selection.Style = "Comma"
Columns("B:B").EntireColumn.AutoFit
Selection.ColumnWidth = 15.67
Range("A1").Select
With Selection.Font
.Name = "Arial"
.FontStyle = "Bold"
.Size = 10
.Strikethrough = False
.Superscript = False
.Subscript = False
.OutlineFont = False
.Shadow = False
.Underline = xlNone
.ColorIndex = 2
... (truncated)
|
|||
embedded_office_off00002f65.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x2F65 | 18075 bytes |
SHA-256: 5d5ffda4eb4a21fbb0ff1df27ebc793e0f61619299d099d9a257b3c38508adf4 |
|||
embedded_office_off00005967.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x5967 | 7321 bytes |
SHA-256: c360f46e6ced1da2396a6e80822379fc4893a791065a606822c873d259a506cb |
|||
embedded_office_off00005a26.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x5A26 | 7130 bytes |
SHA-256: c8c940fc45bb17f3c235a5310a7d3a92112b38fdafed3363b17d90a770b928a0 |
|||
embedded_office_off00005e53.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x5E53 | 6061 bytes |
SHA-256: 7466d9e9db8c17962d64152cb3e3cc7379cd10a3c5fe1ce98b9fa28c20d8c69a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.