MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is a macro-enabled Excel document containing a large VBA project. Heuristics indicate the presence of external relationships and hidden worksheets, commonly used to conceal malicious code. The VBA macros likely attempt to download and execute a secondary payload from the embedded URLs, which are associated with a known domain. The use of VBA macros points to a spearphishing attachment as the likely initial access vector.
Heuristics 6
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\CZFS01\public\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 78 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pim.toyotamh.cz OOXML external relationship
- http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
- http://pim.toyotamh.cz����OOXML external relationship
- http://pim.toyotamh.cz�OOXML external relationship
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 139646 bytes |
SHA-256: 5d7d732ee601b2e924f25d77b4df0b25eabefed2c4b7e9f8404071fa5e61abeb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ComboBox1, 3, 32, MSForms, ComboBox"
Attribute VB_Control = "ComboBox2, 4, 33, MSForms, ComboBox"
Attribute VB_Control = "ComboBox3, 5, 34, MSForms, ComboBox"
Attribute VB_Control = "ComboBox4, 6, 35, MSForms, ComboBox"
Attribute VB_Control = "ComboBox5, 7, 36, MSForms, ComboBox"
Attribute VB_Control = "ComboBox6, 8, 37, MSForms, ComboBox"
Attribute VB_Control = "ComboBox7, 9, 38, MSForms, ComboBox"
Attribute VB_Control = "ComboBox8, 10, 39, MSForms, ComboBox"
Attribute VB_Control = "ComboBox9, 11, 40, MSForms, ComboBox"
Attribute VB_Control = "ComboBox10, 12, 41, MSForms, ComboBox"
Attribute VB_Control = "ComboBox11, 13, 42, MSForms, ComboBox"
Attribute VB_Control = "ComboBox12, 14, 43, MSForms, ComboBox"
Attribute VB_Control = "ComboBox13, 15, 44, MSForms, ComboBox"
Attribute VB_Control = "ComboBox14, 16, 45, MSForms, ComboBox"
Attribute VB_Control = "ComboBox15, 17, 46, MSForms, ComboBox"
Attribute VB_Control = "ComboBox16, 18, 47, MSForms, ComboBox"
Attribute VB_Name = "List13"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "OptionButton2, 1, 96, MSForms, OptionButton"
Attribute VB_Control = "OptionButton3, 2, 97, MSForms, OptionButton"
Attribute VB_Control = "OptionButton4, 3, 98, MSForms, OptionButton"
Attribute VB_Control = "OptionButton5, 4, 99, MSForms, OptionButton"
Attribute VB_Control = "OptionButton6, 5, 100, MSForms, OptionButton"
Attribute VB_Control = "OptionButton7, 6, 101, MSForms, OptionButton"
Attribute VB_Control = "OptionButton8, 7, 102, MSForms, OptionButton"
Attribute VB_Control = "OptionButton9, 8, 103, MSForms, OptionButton"
Attribute VB_Control = "OptionButton10, 9, 104, MSForms, OptionButton"
Attribute VB_Control = "OptionButton11, 10, 105, MSForms, OptionButton"
Attribute VB_Control = "OptionButton12, 11, 106, MSForms, OptionButton"
Attribute VB_Control = "OptionButton13, 12, 107, MSForms, OptionButton"
Attribute VB_Control = "OptionButton14, 13, 108, MSForms, OptionButton"
Attribute VB_Control = "OptionButton15, 14, 109, MSForms, OptionButton"
Attribute VB_Control = "OptionButton16, 15, 110, MSForms, OptionButton"
Attribute VB_Control = "OptionButton17, 16, 111, MSForms, OptionButton"
Attribute VB_Control = "OptionButton18, 17, 112, MSForms, OptionButton"
Attribute VB_Control = "OptionButton19, 18, 113, MSForms, OptionButton"
Attribute VB_Control = "OptionButton20, 19, 114, MSForms, OptionButton"
Attribute VB_Control = "OptionButton21, 20, 115, MSForms, OptionButton"
Attribute VB_Control = "OptionButton22, 21, 116, MSForms, OptionButton"
Attribute VB_Control = "OptionButton23, 22, 117, MSForms, OptionButton"
Attribute VB_Control = "OptionButton24, 23, 118, MSForms, OptionButton"
Attribute VB_Control = "OptionButton25, 24, 119, MSForms, OptionButton"
Attribute VB_Control = "OptionButton26, 25, 120, MSForms, OptionButton"
Attribute VB_Control = "OptionButton27, 26, 121, MSForms, OptionButton"
Attribute VB_Control = "OptionButton28, 27, 122, MSForms, OptionButton"
Attribute VB_Control = "OptionButton29, 28, 123, MSForms, OptionButton"
Attribute VB_Control = "OptionButton30, 29, 124, MSForms, OptionButton"
Attribute VB_Control = "OptionButton31, 30, 125, MSForms, OptionButton"
Attribute VB_Control =
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 2823168 bytes |
SHA-256: 6e32eae11538bfd07989808628cdd363834d07bf7dda7eb355672afa10d5e7e7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 2756 bytes |
SHA-256: 2333d4d0842d21ff5614b942460bc8c9d3c97c1dcb617c7f78ceaf9038dd02a9 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 4264 bytes |
SHA-256: c427fb8bcef16c02aca29e191a07f37f3ee299644300c4bcfbe618f6d98f7891 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 4860 bytes |
SHA-256: 5419007d0d776a9e14e8c7aaf17495e8d81c036a26aec34b55643e73095d1440 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 4256 bytes |
SHA-256: f5c2de1dbe66795ef61e141094ace3c2848539ac5c7b7c123071955cb5336a88 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 2844 bytes |
SHA-256: cd32f855ee8a6bacc73f3904bc4abe2adc8cb846d2454f841d031afb753c3e39 |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 5460 bytes |
SHA-256: 9593edb33d138307e6687e533230aea5a592885fc15d051967a1a5f0a4cef8cb |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 4256 bytes |
SHA-256: 769b1ae19c2eda8d6df471dfa4a509cae919c34021372cd264aafd5e4703a02a |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 2844 bytes |
SHA-256: 3754d36f18275c50cd9bad132116b616f43c4d685bcb02a1cdcfeee4c8560957 |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 5072 bytes |
SHA-256: 6262856b1d8ff40e13974d8351857c4805ba528f0b1a36ddcdac923dc95e7420 |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 4812 bytes |
SHA-256: 4089a37d72e7d3dbe7dab7df914fccb35b71899168a6732008247e6648fd18ab |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 4256 bytes |
SHA-256: 76f53bd600ef066e48c7f7a8d183afca77b564e874729cd88e287057fd564f39 |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: xl/media/image25.emf | 2984 bytes |
SHA-256: ebb9f9185422848cbb82798546970278148d760205cf7f76d4626c518413a4cd |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2984 bytes |
SHA-256: eecb7c87d84f70caa604d2b6c0fab0dd41f121dd59bbd093087f48628429975d |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 4392 bytes |
SHA-256: f1e0a5a1aab16a3441a1497ac3c8807cf84210e10acdbd25f666c1d4ce31ee72 |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 4316 bytes |
SHA-256: a518fde675a45d556e3d19098ee3738dc5ada875aea5f15991330b19e93e28f7 |
|||
emf_15.emf |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 2984 bytes |
SHA-256: 94fda91ffa308057151f72d5b57285fad74edbf83920b673f82f62dc6aca69ad |
|||
emf_16.emf |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 2984 bytes |
SHA-256: f82753447df766b3103043f66d1224ee0437f4b872d84ea6458f44f6302858ed |
|||
emf_17.emf |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 4300 bytes |
SHA-256: 01b5096c3728ebd0015b93e404524975dfa6a570f1080e70c4757441fd26017f |
|||
emf_18.emf |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 2984 bytes |
SHA-256: 5fba6b3298adf9bebf61168a3258af5d183d60d1a63a5b91e59901796192adaa |
|||
emf_19.emf |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 4960 bytes |
SHA-256: c5939577234e8344345de31bd3b277a31eb05d3f269e0c9ab2e5075f832a0690 |
|||
emf_20.emf |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 2984 bytes |
SHA-256: d7599e0e2f87134170859bad53830223da645e68d3c8e7887f4169f6685ac0b1 |
|||
emf_21.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4960 bytes |
SHA-256: d6f793f2210be330f34ee262f9be6bc59ec3893c6a97df943b53fb719d309a45 |
|||
emf_22.emf |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 4256 bytes |
SHA-256: b56947298b13d2f7076fc58a632783058fc17c8b8a4614985bf1cda3e3a6d839 |
|||
emf_23.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 4316 bytes |
SHA-256: 98c1e0cf25375dcabd542f82406260ab825446567729c5a71374cd51d57048d7 |
|||
emf_24.emf |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 2984 bytes |
SHA-256: 810c14ab12a19d5c9aeae561fe51bd1dc89ac1703ffb8ab8de37078582e21e0d |
|||
emf_25.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 4388 bytes |
SHA-256: 0add87510adf1e91a26dace5b5a79823a49f03ab2370e01ee287d0018bdfdbab |
|||
emf_26.emf |
ooxml-emf | OOXML EMF part: xl/media/image30.emf | 2984 bytes |
SHA-256: f1a9d94103e4e5fd60672601aecdb39af09bc19bcee16731f201f481e2b97830 |
|||
emf_27.emf |
ooxml-emf | OOXML EMF part: xl/media/image31.emf | 2844 bytes |
SHA-256: f16ddaffadb0b4556918ce9aa4a4b6dbc35fdf8174132f27cc78d4f36a24f73a |
|||
emf_28.emf |
ooxml-emf | OOXML EMF part: xl/media/image32.emf | 2984 bytes |
SHA-256: f1ce46809e3ae0bb7be6b640a60aeea2805cae34d7b2f7da9900be9febad207a |
|||
emf_29.emf |
ooxml-emf | OOXML EMF part: xl/media/image33.emf | 2984 bytes |
SHA-256: 4bb584f9681166a4d2c30d5da2b14e60c28f6e812f8a12a64fed30120f3b4bba |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.