MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is a macro-enabled Excel document containing a large VBA project. Heuristics indicate the presence of external relationships and hidden worksheets, commonly used to conceal malicious code. The VBA macros likely attempt to download and execute a secondary payload from the embedded URLs, which are associated with a known domain. The use of VBA macros points to a spearphishing attachment as the likely initial access vector.
Heuristics 6
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\CZFS01\public\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 78 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pim.toyotamh.cz OOXML external relationship
- http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
- http://pim.toyotamh.cz����OOXML external relationship
- http://pim.toyotamh.cz�OOXML external relationship
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 147176 bytes |
SHA-256: d35e0498c89dfd9588af93d57bc4e7ea1b948fa5d34f1fc368d0030afa814ba7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ComboBox1, 3, 32, MSForms, ComboBox"
Attribute VB_Control = "ComboBox2, 4, 33, MSForms, ComboBox"
Attribute VB_Control = "ComboBox3, 5, 34, MSForms, ComboBox"
Attribute VB_Control = "ComboBox4, 6, 35, MSForms, ComboBox"
Attribute VB_Control = "ComboBox5, 7, 36, MSForms, ComboBox"
Attribute VB_Control = "ComboBox6, 8, 37, MSForms, ComboBox"
Attribute VB_Control = "ComboBox7, 9, 38, MSForms, ComboBox"
Attribute VB_Control = "ComboBox8, 10, 39, MSForms, ComboBox"
Attribute VB_Control = "ComboBox9, 11, 40, MSForms, ComboBox"
Attribute VB_Control = "ComboBox10, 12, 41, MSForms, ComboBox"
Attribute VB_Control = "ComboBox11, 13, 42, MSForms, ComboBox"
Attribute VB_Control = "ComboBox12, 14, 43, MSForms, ComboBox"
Attribute VB_Control = "ComboBox13, 15, 44, MSForms, ComboBox"
Attribute VB_Control = "ComboBox14, 16, 45, MSForms, ComboBox"
Attribute VB_Control = "ComboBox15, 17, 46, MSForms, ComboBox"
Attribute VB_Control = "ComboBox16, 18, 47, MSForms, ComboBox"
Attribute VB_Name = "List13"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "OptionButton2, 1, 96, MSForms, OptionButton"
Attribute VB_Control = "OptionButton3, 2, 97, MSForms, OptionButton"
Attribute VB_Control = "OptionButton4, 3, 98, MSForms, OptionButton"
Attribute VB_Control = "OptionButton5, 4, 99, MSForms, OptionButton"
Attribute VB_Control = "OptionButton6, 5, 100, MSForms, OptionButton"
Attribute VB_Control = "OptionButton7, 6, 101, MSForms, OptionButton"
Attribute VB_Control = "OptionButton8, 7, 102, MSForms, OptionButton"
Attribute VB_Control = "OptionButton9, 8, 103, MSForms, OptionButton"
Attribute VB_Control = "OptionButton10, 9, 104, MSForms, OptionButton"
Attribute VB_Control = "OptionButton11, 10, 105, MSForms, OptionButton"
Attribute VB_Control = "OptionButton12, 11, 106, MSForms, OptionButton"
Attribute VB_Control = "OptionButton13, 12, 107, MSForms, OptionButton"
Attribute VB_Control = "OptionButton14, 13, 108, MSForms, OptionButton"
Attribute VB_Control = "OptionButton15, 14, 109, MSForms, OptionButton"
Attribute VB_Control = "OptionButton16, 15, 110, MSForms, OptionButton"
Attribute VB_Control = "OptionButton17, 16, 111, MSForms, OptionButton"
Attribute VB_Control = "OptionButton18, 17, 112, MSForms, OptionButton"
Attribute VB_Control = "OptionButton19, 18, 113, MSForms, OptionButton"
Attribute VB_Control = "OptionButton20, 19, 114, MSForms, OptionButton"
Attribute VB_Control = "OptionButton21, 20, 115, MSForms, OptionButton"
Attribute VB_Control = "OptionButton22, 21, 116, MSForms, OptionButton"
Attribute VB_Control = "OptionButton23, 22, 117, MSForms, OptionButton"
Attribute VB_Control = "OptionButton24, 23, 118, MSForms, OptionButton"
Attribute VB_Control = "OptionButton25, 24, 119, MSForms, OptionButton"
Attribute VB_Control = "OptionButton26, 25, 120, MSForms, OptionButton"
Attribute VB_Control = "OptionButton27, 26, 121, MSForms, OptionButton"
Attribute VB_Control = "OptionButton28, 27, 122, MSForms, OptionButton"
Attribute VB_Control = "OptionButton29, 28, 123, MSForms, OptionButton"
Attribute VB_Control = "OptionButton30, 29, 124, MSForms, OptionButton"
Attribute VB_Control = "OptionButton31, 30, 125, MSForms, OptionButton"
Attribute VB_Control =
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 2830848 bytes |
SHA-256: 4d88ca80d60b4a8387ceb898a264b54c849d042fc33058bead418955596236c4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 2756 bytes |
SHA-256: 3afd198a9646fdb3d58f70b2b912ece905821c0dabbc95014141f7746370232a |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 4264 bytes |
SHA-256: 193701733ad28188b84ca8724cd0cd1723cca1d9e9393c18da95d1bcd8c88ee3 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 4860 bytes |
SHA-256: 754400bb19eca32f5157b5231f8a1ee145b46523c246d7b507823aea32f9521b |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 4256 bytes |
SHA-256: 451cbf7ed4c5e17eebfeb6aacadc7e9b7d0e223f71bf28f946ae674f2838c722 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 2844 bytes |
SHA-256: 7b70283faa6b5ac06a39f1b118d6fbc6c114cae34be8a236611ea2404968eb6e |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 5460 bytes |
SHA-256: 8b7f11a8e35c35e67cace9959104116166e6754ffe638105d873486fe9d088cc |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 4256 bytes |
SHA-256: f2775e049b537e3b8cd76d1ca3f05c1d2651a592dbc411b0064649a5b44ff9ab |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 2844 bytes |
SHA-256: 1374b6416dd6684ca83cccbba406b47c2782f0a19eee06386de59014e5e20c62 |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 5072 bytes |
SHA-256: efed346d9a49e668e30d08024682b88bcf238e060307a1c8bdf1319dbfbd4728 |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 4812 bytes |
SHA-256: b02fb21d2131c265ea96ea5a3f37239f9d6c56af71796e6ba9c324dd01124531 |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 4256 bytes |
SHA-256: d175fdadd7941d37ee07f37c55d6325a22d75d97d28ad8b1ff97516a8d4e7498 |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: xl/media/image25.emf | 2984 bytes |
SHA-256: 08cfb686f693a2e7cbdcd4446704ad33ec7be1abe5ed4e7ab537c6b90d3e4bac |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2984 bytes |
SHA-256: 7c6943875d9fb0621df55283f2b7793ab80225198690c7435dce06ad93a37a70 |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 4392 bytes |
SHA-256: a969016ad818dac2b21c501cad3f4aaa930020d0401a294d2716c70701291eb6 |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 4316 bytes |
SHA-256: 2ac526b67000945265afb682f2f6a4d386b9094af41bca5dc28a548e8b095848 |
|||
emf_15.emf |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 2984 bytes |
SHA-256: a2ece56158700b313d11483353f382e1e389533f97c16a1ba94ca8a23428fdac |
|||
emf_16.emf |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 2984 bytes |
SHA-256: be1b00f56e6c1eafc040a58d5167aeceac286df72084b26dbb1268780729ec10 |
|||
emf_17.emf |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 4300 bytes |
SHA-256: 85a1b2ad4124384cf2a901081550ec4fd0ef8301dad4b7f7a434bd119bf0e800 |
|||
emf_18.emf |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 2984 bytes |
SHA-256: e8e17c5748ce1415e8d06eaa871c763c43131893174c8e99b0f716c1220a9370 |
|||
emf_19.emf |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 4960 bytes |
SHA-256: ba2c77fea9b60e8abde8f50fd4ad5937ebadfde8c9441c89ba8f3c3e34bcb12e |
|||
emf_20.emf |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 2984 bytes |
SHA-256: dd5e8be3ae664c5579ced8fff352bd7c7182678713bec6363d13f032d6d8d5ce |
|||
emf_21.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4960 bytes |
SHA-256: 33a1349b219db60ddf3d6e7e0e355bb9e9b0e19467ef46fec4cc166960ff5d62 |
|||
emf_22.emf |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 4256 bytes |
SHA-256: b02d0fb116b69afd3d0c26c88ad442a36f3859ca9a009344ebc5f042e29ece48 |
|||
emf_23.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 4316 bytes |
SHA-256: 9eab02e7184feaee68cd8a32748d2f2fa2c24675d230d5c80330a79d5a8718f9 |
|||
emf_24.emf |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 2984 bytes |
SHA-256: 22ca117b8db156ba70c9b66b9f7e6fd8853277f67936d922f88ee6c5f8295c35 |
|||
emf_25.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 4388 bytes |
SHA-256: 19c0761c8171b7ec4d2bf135dd6fbb9e918ee3a5ea315f951308a169cc215c53 |
|||
emf_26.emf |
ooxml-emf | OOXML EMF part: xl/media/image30.emf | 2984 bytes |
SHA-256: 2638b16251aace690b6793365a8534c4e0f802d752b63029121b3f2f9344a8d4 |
|||
emf_27.emf |
ooxml-emf | OOXML EMF part: xl/media/image31.emf | 2844 bytes |
SHA-256: cb47af76b1222596679bcedf2a184d770275add86ff2680f193dc35f8421ada7 |
|||
emf_28.emf |
ooxml-emf | OOXML EMF part: xl/media/image32.emf | 2984 bytes |
SHA-256: 182d57881d9fc1432f8be2ad8cd780cf448a2a51e9c36e2533a11b82c712a0c2 |
|||
emf_29.emf |
ooxml-emf | OOXML EMF part: xl/media/image33.emf | 2984 bytes |
SHA-256: a925c11f8c74042fba5634c3cc15da197f197033f8b1de2e32f5935647de9b81 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.