MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an Excel document containing VBA macros, indicated by the 'OOXML_VBA' and 'OLE_VBA_CREATEOBJ' heuristics. The macros appear to manipulate UI elements and cell values within the spreadsheet, suggesting an attempt to create a deceptive interface. The presence of external relationships and unknown reputation URLs like 'http://pim.toyotamh.cz' indicates potential communication with malicious infrastructure. The overall behavior points towards a macro-enabled document used for phishing or as a downloader.
Heuristics 7
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink4.xml.rels: file:///G:\Users\czjaspr\Desktop\Ceny ND a smlouvy\EKA ceníky a kalkulátory\Servisní smlouva FY16 verze_1.4.xlsx
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 18 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pim.toyotamh.cz
- http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/Pracovn
- http://pim.toyotamh.cz@
- http://pim.toyotamh.cz�
- https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRR
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas08b31ab81571f2bf1424a08446fc3739b6b546a3a9bed1719cb65f21b8305d54 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 156061 bytes |
vbaProject_00.binf829cdc4b3c1df4a98257276f07860c8d19c2edc5ee4df7b9e02d25b9ee10d5f |
vba-project | OOXML VBA project: xl/vbaProject.bin | 2973184 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
emf_00.emf9b8e4062c9eb78e06c9cb5008f6cfd315eace72059a536bab971a52b9491588e |
ooxml-emf | OOXML EMF part: xl/media/image50.emf | 3364 bytes |
emf_01.emfed721a7225830a2c4c2143eafedb65a494d14e055975f56abb00dc0be1bd9c9d |
ooxml-emf | OOXML EMF part: xl/media/image51.emf | 3504 bytes |
emf_02.emfd67648ee35a7a6bd87f302e9f18fa8720f917ca90d652ebf3f6cbf7e0b09d6db |
ooxml-emf | OOXML EMF part: xl/media/image52.emf | 3504 bytes |
emf_03.emf6a195ca28618a6a16d66041ad93320b2604487c9f4e8835e202412ee2a658546 |
ooxml-emf | OOXML EMF part: xl/media/image53.emf | 3364 bytes |
emf_04.emf42d79f8229f82adb1c356d89ab864e756f6041345ac6886a8c7108133059d510 |
ooxml-emf | OOXML EMF part: xl/media/image54.emf | 3504 bytes |
emf_05.emf529e6abc47ee4229f238f043b53c2e8ccdc368b5648a602becd53574b548e806 |
ooxml-emf | OOXML EMF part: xl/media/image55.emf | 3504 bytes |
emf_06.emf2b13b75e46310ffb7488fb867802b395254fc9c4a505f389b0e6f9a7bd3d5a9e |
ooxml-emf | OOXML EMF part: xl/media/image49.emf | 3504 bytes |
emf_07.emff95b3a131937b059415086a6b3da787d391605a7bb65d0de57a1ded2e588cac3 |
ooxml-emf | OOXML EMF part: xl/media/image48.emf | 3504 bytes |
emf_08.emf5fbbf1442d5c7735e5d2fea56270e8f332e44cad5314fa41872457a2d98a65ad |
ooxml-emf | OOXML EMF part: xl/media/image47.emf | 3364 bytes |
emf_09.emfa5460ede5f5cf56b45a96e623e91730c9c75fd374ae40b567eac6d10edba5d7d |
ooxml-emf | OOXML EMF part: xl/media/image41.emf | 3364 bytes |
emf_10.emff6cda18cc2297c8389d5d61117270929939571784de35a577b2f0850ff5d5fc1 |
ooxml-emf | OOXML EMF part: xl/media/image42.emf | 3504 bytes |
emf_11.emf839ac548b73dfe4ea98cfa8a2984e60a06f7ebbf33d92f9e8f01f7a383d84959 |
ooxml-emf | OOXML EMF part: xl/media/image43.emf | 3504 bytes |
emf_12.emf40ca83e14b2f16463500df9580301a9deb220e84822a4968ddc98ff303e84ff6 |
ooxml-emf | OOXML EMF part: xl/media/image44.emf | 3364 bytes |
emf_13.emf2132704153e2db7d0d318765f44d44ef5e3eb79e79bf421433bb80acd358879c |
ooxml-emf | OOXML EMF part: xl/media/image45.emf | 3504 bytes |
emf_14.emfddc4567b8eb6e782900e195461ab3b1c3f323e9957e6dcbdb0eaf3d15456335c |
ooxml-emf | OOXML EMF part: xl/media/image46.emf | 3504 bytes |
emf_15.emfd6dcfe8663aa4e6318f21cb2cefacc9d4469f6a032a548da6e1be707687b1b7a |
ooxml-emf | OOXML EMF part: xl/media/image56.emf | 3364 bytes |
emf_16.emf534e8d43a39ce590c3e77a0b106717a67183936fd945af15c2180806d1ef5e97 |
ooxml-emf | OOXML EMF part: xl/media/image57.emf | 3504 bytes |
emf_17.emfe2a656155c3c46e0409cc3395f55f946fd243df2e7b4f6c383f14779c93782b8 |
ooxml-emf | OOXML EMF part: xl/media/image58.emf | 3504 bytes |
emf_18.emf9d94c2869bd6abe8e734cc7be64df7548cfae9df4cdec42918ec542ec4537077 |
ooxml-emf | OOXML EMF part: xl/media/image67.emf | 3504 bytes |
emf_19.emf317373eeecbf7b03210d69cdb5f5bbd6126f5c5b20812b2668c0aeb5ac1475f5 |
ooxml-emf | OOXML EMF part: xl/media/image66.emf | 3504 bytes |
emf_20.emff3a76b8c53fc48742f5b4d1644c5455e959b5c9e0d1f196f8fdfbc5a234f3577 |
ooxml-emf | OOXML EMF part: xl/media/image65.emf | 3364 bytes |
emf_21.emf6e48a56db03f3879997c769561a0429beefe72b8ab07f61691d8e5606b8e0a81 |
ooxml-emf | OOXML EMF part: xl/media/image59.emf | 3364 bytes |
emf_22.emfec49f1ab95400cc5298ae9ec82666674a2ee025d4bd88705579954940e1c588a |
ooxml-emf | OOXML EMF part: xl/media/image60.emf | 3504 bytes |
emf_23.emf812b401f104fde6c0e0afb2e661ee1538ac55f5cdf6b2b97e40ff43618490608 |
ooxml-emf | OOXML EMF part: xl/media/image61.emf | 3364 bytes |
emf_24.emfbda8fa975ab89efb72193ac88f5b50a2873dc8fd4f1783acb2066006640d3491 |
ooxml-emf | OOXML EMF part: xl/media/image62.emf | 3504 bytes |
emf_25.emf68cdc385d4edcd8e9d550668c18a94b85a4ef77dbe751ff62423d46db4f77872 |
ooxml-emf | OOXML EMF part: xl/media/image63.emf | 3504 bytes |
emf_26.emf8acdc7aa87755041d9307ba1f1b7cae42414b4de988c0c33ff0712a09a3a4fa9 |
ooxml-emf | OOXML EMF part: xl/media/image64.emf | 3504 bytes |
emf_27.emf4ddf19bb7a2a6b312b36b22aeeed23ab7c29a816c4a7f0cfc71ddc673a0fc745 |
ooxml-emf | OOXML EMF part: xl/media/image39.emf | 3504 bytes |
emf_28.emf8ab57e01b6ae823c8af8160e5fb10abdf377c590a53f8e10a7b2518b9a060521 |
ooxml-emf | OOXML EMF part: xl/media/image38.emf | 3364 bytes |
emf_29.emfe4e26234a3da8de42e93f6863688baaf3e1873ab70ddb5cf0df289a1d0ea7e41 |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 3504 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.