Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7378d3ac5d699e2e…

MALICIOUS

Office (OOXML)

8.80 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-12
MD5: 47ffb7ed1060084d218efb58e608323b SHA-1: b104126ec22e3abbde14bb41a3e9a76db8bfaf32 SHA-256: 7378d3ac5d699e2ef59d1572a575cf11a81a9fa5c9f3e7063708641821a6961a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of VBA macros, specifically the use of `CreateObject`, indicates a high likelihood of malicious intent. The macros appear to interact with spreadsheet cells and potentially external links, suggesting an attempt to gather information or download further payloads. The embedded URLs, while some are marked as benign, include suspicious domains that warrant investigation.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\CZFS01\public\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 78 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • http://pim.toyotamh.cz8OOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 179025 bytes
SHA-256: 6e477eb79f94784bc3620c6e80155283724dc07382fc5357ba6cdd2f4cb40de5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True

  '              Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
    '            ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


'Private Sub TMHLiBatButtonX_Click()
'    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
'        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
'        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'
'                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
''                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
'
'    Else
'        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
'        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
'    End If
'End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2956288 bytes
SHA-256: a973491761fd7cd3a20e2386297d03a9f509387d8e8c8e5923555feeb1d67eb4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image26.emf 2756 bytes
SHA-256: 59829e624855f68c394ba2fd4188dc684350afa7ac5133a71ddc3bff169e089b
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 4264 bytes
SHA-256: 6d1149061740d43d02eca6829b214d70e36d75635e3a7b8c41f7be5af518baf4
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image5.emf 4860 bytes
SHA-256: a944a1d51f2e5b8fe63ba13338f65bcf047e25242f729b99a40d4287316d8ad6
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image6.emf 4256 bytes
SHA-256: 80be1cde30a8b57fa0b886fb491ea515b5aec1ca7c40dbfdecf791c3ed7a8ce2
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image22.emf 2844 bytes
SHA-256: 6a94df7d78bc9c0c02d27678d030ce454697a75ebfcbb1a0f91796140aab1e59
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image7.emf 5460 bytes
SHA-256: ce0bfa193177e183ee562e21134e14c01cc7dff2d16614e32ed55d7d632c46c3
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 4256 bytes
SHA-256: 66eafdcf6c1453609d75e91315a211720e7e92168d0cb4da1799e9430135de18
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image28.emf 2844 bytes
SHA-256: b9f18bae18eeab462c7698c82396973383525855bd850e5cf8ce4b0ff073b0f4
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 5072 bytes
SHA-256: 25340756553cd2b2e468124f8b4e6a46d3b7c0829efb83cee646a4f4b01229a9
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image10.emf 4812 bytes
SHA-256: bb28ae9d72b21f6aed611f8e18c28ba2ec57bbdfbff4f5cbd4c5e2c9aa8befaa
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image11.emf 4256 bytes
SHA-256: 584154c48079cecfd5172f710700a6e5e13621e4e8461bff662e3b6b634d427a
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image25.emf 2984 bytes
SHA-256: 474f0d5aa5f316db67e8a80b0a0cc0b320ccf48a39a1cd002a525f3c7ca309f5
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image23.emf 2984 bytes
SHA-256: f414133bb720e6647bd02378fbd542a898be441ba51e8efaa8507cd5c7b0c7b7
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image12.emf 4392 bytes
SHA-256: 39bf1a9beb578e22dd46461f147a5cb6d6cc2ddc6a12b6beb7c0c69325ee7304
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image13.emf 4316 bytes
SHA-256: 5fb83ceac3d11f8a920590b96cda7515eab40db19c518f5a37984c43967b4645
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image20.emf 2984 bytes
SHA-256: 8f5ced57fc563f66df11ca614f7ce61deb67673e66ffd65e05d1d8131434a80f
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image29.emf 2984 bytes
SHA-256: 777383a9908c490db186bff414df7d0e531529dedf1face3f6f6b6e9a8662934
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image14.emf 4300 bytes
SHA-256: a597527e0e0aba503fcebefe5c29d4b791b1eb627ba0ff652b5c8c78f3204eaf
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image27.emf 2984 bytes
SHA-256: 09a73c9f9d09c980d3d452459244c4716c9f58f6e2167590cc81e9f3cceb537e
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image15.emf 4960 bytes
SHA-256: 2364ff319f9bca7fbc9e96efaa87700f1a12b94a30fd1b557e1b58f4918308a4
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image21.emf 2984 bytes
SHA-256: 047a09ac070c976920ad266465cfbf081ea1b632340b64819ee69000f84b7e83
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4960 bytes
SHA-256: 2444fb8921675370003576ef02b2dd600bbb09cb85d652f4e7de5e23a8134991
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image16.emf 4256 bytes
SHA-256: 2ce947eaebe78c288a9ab21dbb9a12565c1b7750e29b9808f0a1380c2eb7dfeb
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 4316 bytes
SHA-256: bcfde7680edc04d5150f5c4c3e051a5bb554a29d6db6692831910be1d67804e6
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image24.emf 2984 bytes
SHA-256: c8fc1b07350f8f259e22a9bcc308e39e98144f7370f109226b41e07e69f698b8
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 4388 bytes
SHA-256: a53bea7b7ee1113a0476a205817d36f79230f2ad3b24177705a792e1871cf252
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image30.emf 2984 bytes
SHA-256: 38ea892dda5dfe45cc35b432811e9867af4511477b51b183e9a9d804f3f0801b
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image31.emf 2844 bytes
SHA-256: 1925102c20ccf25dc99293535f16a46edb0fe614cceeaa35c049755dcf21e3be
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image32.emf 2984 bytes
SHA-256: aa5f1e5fa90fff760c303f77bc071aee69bc6ccb70c0924226bf6b1978673475
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image33.emf 2984 bytes
SHA-256: 74a40168ac6bcaeefdeadaa44843859b72732ebf310c02cab418b7a59d11f9d1