Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3899a46542d3ce95…

MALICIOUS

Office (OOXML)

2.35 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-20
MD5: a68383b9d1c8303cbf8913f7fce6711d SHA-1: 8714bcb56bb07b0e6879ecf0efe279e5ea8102ff SHA-256: 3899a46542d3ce9582ddd2c92709cc55983995e197bf756a2bf16af043fe073e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, indicated by the OOXML_VBA heuristic. The macros appear to manipulate UI elements and sheet data, suggesting an attempt to create an interactive user experience. The presence of external relationships and potentially malicious URLs, despite some being marked benign, warrants further investigation into the macro's behavior, which could involve downloading additional payloads or establishing communication with attacker-controlled infrastructure.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///G:\Users\czjifra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\EKRQQAVT\VersionHistor
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 16 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • https://github.com/VBA-tools/VBA-JSONOOXML external relationship
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspOOXML external relationship
    • https://github.com/VBA-tools/VBA-UtcConverterOOXML external relationship
    • http://pim.toyotamh.cz8OOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/index.html?date=DD.MM.RRRROOXML external relationship
    • http://www.cnb.cz/cs/financni_trhy/devizovy_trh/kurzy_devizoveho_trhu/denni_kurz.jsp?date=DD.MM.RRRROOXML external relationship
    • http://www.opensource.org/licenses/mit-license.phpOOXML external relationship
    • http://code.google.com/p/vba-json/OOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspxOOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspxOOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspxOOXML external relationship
    • http://support.microsoft.com/kb/269370OOXML external relationship
    • http://www.ietf.org/rfc/rfc4627.txtOOXML external relationship
    • https://support.microsoft.com/en-us/kb/272138OOXML external relationship
    • http://www.opensource.org/licenses/mit-license.php)�OOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 164871 bytes
SHA-256: b8d90db92f1e64f556358c6214ef89098c110069899b36b43ea779b17ab232e2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True
'Off the other button
                Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


Private Sub TMHLiBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'Off the other button
                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False

    Else
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    End If
End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKUL
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2795008 bytes
SHA-256: 5b1506fe01573be4a23a700ef238e5ecd7b1dd27cc5d707a16fc4742229a1846
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image20.emf 2984 bytes
SHA-256: 547a3e4baaec14237cc3990874fbcaf1c30c4d4ecbbe4b1338e9cad731c7561f
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image21.emf 2984 bytes
SHA-256: 70c6d7d8ee84ad6a6e0156d94d1a69a6bf9a75d58cc822f4a28c88ffe81664c4
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image22.emf 2844 bytes
SHA-256: 9ac9c83d2b855f1ad1f5a71507d8e3bea6b32af83f0dfb688d518e310028593c
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image23.emf 2844 bytes
SHA-256: d24fe08108917b38eb61d97c789dcf5084f4795ebecbef89d108d47dd1eecdc0
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4256 bytes
SHA-256: e5fde0a2179e49739f2162bd965ad7d3014a27466e59266827b5c2e19e044bfa
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image24.emf 2984 bytes
SHA-256: 4041c7a6e7d74bc677148b606e307960817670b0c51a58b0aeac93bccaa90bf1
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 4960 bytes
SHA-256: eb1e259d6a989ef1d90cea5d4564e755921d59797210dd125ef4469f961fd7d7
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 4300 bytes
SHA-256: 04230adb67d402e192d1bb2740cca91dcf4531b6451300e6402cb0e9c6842cf7
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image25.emf 2984 bytes
SHA-256: 6514d6297391512d7eb8356aa3543c28766138cecf2915aa6d263a0afd22ed70
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 4316 bytes
SHA-256: b780ee254fb42af67b9d38438e1051d46ac393c4c6914d6ff978c87c9586d1be
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image26.emf 2844 bytes
SHA-256: 9dfdf3ede1442ee9fb20459a059ab9f00e9e53361f6ff48ddeb0ae18e1581815
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image5.emf 4392 bytes
SHA-256: a15672917f51113101590ab597d7517888de151cf2792c937cc7ff0d749ec93f
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image6.emf 4256 bytes
SHA-256: 859abebc5be6ffdf0a7c0ba2b4e02c73825241bddf976129832b5c1f76e6fc09
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image27.emf 2984 bytes
SHA-256: 64166d1a09013040386cca19f2cacd3c0916ef64601ba7d5cb33ce650f295dce
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image7.emf 4812 bytes
SHA-256: 1adc369abd3411454906f30aa3d359b6fec060fd6eafaee63d246ec937404e1b
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image28.emf 2984 bytes
SHA-256: 36b2830c7ea932347b013cbb07d4f06c5dbc00659db46b45b0210b42379b21bf
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 5072 bytes
SHA-256: b19730b68423dfc12d824fdbca50b7d5642412fc7fe899b603b957d645b367b0
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 4256 bytes
SHA-256: 953479fe12384c533284c5a9c98f349aa165a62118df9d6c9fe107debe95c98d
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image29.emf 2844 bytes
SHA-256: 045eeff98bd6d01c65592af7033817e3c92d2d5de52b823cc53ca9aafff6a3d6
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image10.emf 5460 bytes
SHA-256: d72c2d3d3555198197c8d30381dd57b1109be1cc0d2fa53964605ce7d16e9c8f
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image30.emf 2984 bytes
SHA-256: 5fd408747f5144e32cb8ae8acf5e57297d3509086c8450921991b1fcf61c0b51
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image11.emf 4256 bytes
SHA-256: 3afde4ab13c941b4b9d7a64ca9ff5cb8272f98207a920efb26d925e50b113c6b
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image12.emf 4860 bytes
SHA-256: 3befb3713debc51fe86495904151199f3f42e123ce01aa462b7259b0ae4415ca
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image31.emf 2984 bytes
SHA-256: a2225e404bac17cb33cb88c0633a3c4e163fbc99317ec08bde52fd78b47ab8fa
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image13.emf 4264 bytes
SHA-256: 697f5eaa971c33d9498c6d757a025eef79bf61ad58ad6f4c7583d510bf40e35e
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image32.emf 2844 bytes
SHA-256: aebfbc43ac1e77b988a0d01b3b52c1c878c1b476a0d6cc17ece4e8a525e10066
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image33.emf 2984 bytes
SHA-256: 6372b643a90976902502cfcc7ef0fbd947e17c51517df42797d45d88bae0886a
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image14.emf 4388 bytes
SHA-256: 2129666bd0f3bb2b0e5c33fa4f7d9eea61df43af4587b24fa98085576a22335d
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image15.emf 4316 bytes
SHA-256: e2073939861d5adaf29131c490644754607a3d23ea750ec3923c4db0dea4dbc2
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image34.emf 2984 bytes
SHA-256: 31a7100bc72ebc564de9ea37e4d232b0809da388c1f760020d75c8ee2ccf5988

Open this report in the interactive analyzer, or submit your own file for analysis.