MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The OOXML file contains a large VBA project and triggers heuristics for VBA macros and CreateObject calls, indicating malicious macro execution. The presence of numerous hidden sheets and external relationships further suggests an attempt to conceal malicious activity. While the VBA code itself appears to be primarily for UI manipulation within Excel, the overall structure and heuristic firings point towards a macro-enabled document designed to execute malicious code, likely for initial access via spearphishing.
Heuristics 7
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\CZFS01\public\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 78 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pim.toyotamh.cz OOXML external relationship
- http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
- http://pim.toyotamh.cz@OOXML external relationship
- http://pim.toyotamh.cz�OOXML external relationship
- https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 173056 bytes |
SHA-256: 1f328ba3fb1fa2bd86a44ee0f0783f5b504b9a4b6f5cf9942db5225b7bec75e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub ALBatButtonX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True
' Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
' ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
Else
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
End If
End Sub
'Private Sub TMHLiBatButtonX_Click()
' If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
' Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
' ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'
' Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
'' ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
'
' Else
' Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
' ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
' End If
'End Sub
Private Sub BezRampyX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
Else
Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
End If
End Sub
Private Sub RampaX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
Else
Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
End If
End Sub
Private Sub TechnikX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
Else
Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
End If
End Sub
Private Sub JerabX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
Else
Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
End If
End Sub
Private Sub OdkupProtiX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
Else
Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
End If
End Sub
Private Sub PreklenovaciPronajemX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
Else
Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
End If
End Sub
Private Sub SpedX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 3049984 bytes |
SHA-256: 0e9801163d70355dee5a0f9f906778d0c3ecb0451c83452001a5df63faecfa5c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 2756 bytes |
SHA-256: 4d2c3a66c317f769487cde91cf799a2f6b920439177e82a803bd23f45d397c96 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 4264 bytes |
SHA-256: 13b60d83d1a24b77fee5204d8c92750bd9e3c817500e52fa9de16d393aaba4a7 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 4860 bytes |
SHA-256: 55fbdfc2d41fe1feb994bbbdcd2ca966295adad6c77bc7d0b618aaa509a3b641 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 4256 bytes |
SHA-256: adee716e36d0c606d604c92cf557cad7499b400e6eee27cb677d27ddc14720cd |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 2844 bytes |
SHA-256: 59947f0efc724f66847db131a0193947465eab88fb44c741a7ec54c98157c799 |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 5460 bytes |
SHA-256: 07794f86fd2d8408e92c6cc9330bd8103afcc60e83139d79c94d718cec767992 |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 4256 bytes |
SHA-256: 44bcdb0093964f87c35bdc1228d0b27cf5dda5529eda6f3ea94a595b0049d3cb |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 2844 bytes |
SHA-256: be71d4b1e4aa2a8ab15c59fdc1ba02347c7c1a6e9d7830f1f29c9d1c0c271d9a |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 5072 bytes |
SHA-256: bfa4728179121f9d12739fc2e44b59bf1ce80036d175808d72ebd96c7fb6e16e |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 4812 bytes |
SHA-256: 94e652f5b62669c5437c57517a985f6db5729df993203a53d29b389ca66fb511 |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 4256 bytes |
SHA-256: c7f6bf7512a2962932f278c810c7f7f6bc03ba22aa78856dd34479d6fd2d86e2 |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: xl/media/image25.emf | 2984 bytes |
SHA-256: ef72ac302bbb9093b1e1c00b936cf5736e4c5eeceadbad29b42f95ce634ef2cd |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2984 bytes |
SHA-256: f2f30fe266e0ff0f923a8e90055300d300fa0d14697d6f11da94704382c6ec01 |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 4392 bytes |
SHA-256: 4a915c693a3c4d35490a1c704a79bdd57b56bf85043ef7d7695e8b44ad4f2bbd |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 4316 bytes |
SHA-256: 4cc8519c4c9d1e30e230c35fc011fa96b014dc0bd8dce534e7299e86425fde48 |
|||
emf_15.emf |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 2984 bytes |
SHA-256: 1d628d4e51e0a7264fe632694add9e46717491401bee19157993c5467b952c9c |
|||
emf_16.emf |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 2984 bytes |
SHA-256: 8c8ca278447c10cb25a94cf1088e747041788bce7e76776e097666e53cd849e5 |
|||
emf_17.emf |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 4300 bytes |
SHA-256: 8f4885364706b57bb85b572b5e2e27eddb65cc512b6d7bb421424315c5454a01 |
|||
emf_18.emf |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 2984 bytes |
SHA-256: e05bcf86d1e2f5a401d7363a97ee589efc6c217c2e808571557d984994a1ba70 |
|||
emf_19.emf |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 4960 bytes |
SHA-256: 551603bf27e246cc5722466d0b3401bb07227f29985a676a8709cbae7f4383b7 |
|||
emf_20.emf |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 2984 bytes |
SHA-256: af54f18f168482746dd730edd53f0bbc97de2f67441516aea80e14f9591dd1e6 |
|||
emf_21.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4960 bytes |
SHA-256: 7fcd61795dac172682664b3f0c6fd1298e8f633d9a3b9d7ffcb947ba8e2180dd |
|||
emf_22.emf |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 4256 bytes |
SHA-256: 5a9ed2a76500d0e6280add6ace05852f52ea01debef27695292d036d53917299 |
|||
emf_23.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 4316 bytes |
SHA-256: dae613b2bc99a8d3b328f8a49f6f3c0671a812e0e4e82e0be64c4a9961f3f737 |
|||
emf_24.emf |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 2984 bytes |
SHA-256: e3b7a60e2112033904658db0c1bde014f194853af249bcd7358273592e51c8f4 |
|||
emf_25.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 4388 bytes |
SHA-256: 2866fd89b28e6978880f37871fc9e1ccafb3badfc3db0c8d457bf3ffe231307e |
|||
emf_26.emf |
ooxml-emf | OOXML EMF part: xl/media/image30.emf | 2984 bytes |
SHA-256: 0c0fa69e1eb55a4ed425ed0d9570e75ae49bf52137188072762b3925e41f4bfd |
|||
emf_27.emf |
ooxml-emf | OOXML EMF part: xl/media/image31.emf | 2844 bytes |
SHA-256: 870828e31dab1bc1d3d44ff9e023c048243d7817aa8109d8d4acf2b8efd05a83 |
|||
emf_28.emf |
ooxml-emf | OOXML EMF part: xl/media/image32.emf | 2984 bytes |
SHA-256: 0e1ac9ffe57435e2b36009c4f046688ac622c6e652e53796106080e6dfc16cab |
|||
emf_29.emf |
ooxml-emf | OOXML EMF part: xl/media/image33.emf | 2984 bytes |
SHA-256: 2a2fe6163dbc66fc0aca6b6cc487e8999b39cf9546490a77afe38e62ee84f62f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.