Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 779cfe3cbd91c692…

MALICIOUS

Office (OOXML)

2.35 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-20
MD5: f4d80f1326db4a0657d6692d99b95d4d SHA-1: 98883f87a7979b60b59ed70194985e5dd6917deb SHA-256: 779cfe3cbd91c6926b5c8a2f1fbc7d178387ed27c8f6ba689dcbdd00d52f7f80
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, indicated by the 'OOXML_VBA' heuristic. The macros appear to create a fake user interface for selecting battery and charger options, as seen in the 'macros.bas' script and the 'DOC BODY' content. The 'CreateObject' call suggests the macro is attempting to execute arbitrary code. The external relationship URL points to a local file path, which is suspicious and could be an attempt to obfuscate malicious links or actions.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink3.xml.rels: file:///G:\Users\BEBRBAKUS\Documents\_TMHE\FY17 pricing\ELP update Dec-15\COPY FOR ELP UPDATED WAREHOUSE COSTS DPM Full
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 16 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • https://github.com/VBA-tools/VBA-JSONOOXML external relationship
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspOOXML external relationship
    • https://github.com/VBA-tools/VBA-UtcConverterOOXML external relationship
    • http://pim.toyotamh.cz8OOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/index.html?date=DD.MM.RRRROOXML external relationship
    • http://www.cnb.cz/cs/financni_trhy/devizovy_trh/kurzy_devizoveho_trhu/denni_kurz.jsp?date=DD.MM.RRRROOXML external relationship
    • http://www.opensource.org/licenses/mit-license.phpOOXML external relationship
    • http://code.google.com/p/vba-json/OOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspxOOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspxOOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspxOOXML external relationship
    • http://support.microsoft.com/kb/269370OOXML external relationship
    • http://www.ietf.org/rfc/rfc4627.txtOOXML external relationship
    • https://support.microsoft.com/en-us/kb/272138OOXML external relationship
    • http://www.opensource.org/licenses/mit-license.php)�OOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 164871 bytes
SHA-256: 04866a445f446e2183d680ecb51dcf8e3b4c969aa7384b10c9fa36cac0ce8968
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True
'Off the other button
                Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


Private Sub TMHLiBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'Off the other button
                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False

    Else
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    End If
End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKUL
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2799616 bytes
SHA-256: fb888557322e54ff8bf3eb5e57780d3cb95969cd3f9646a655198f19bf19fa0c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image35.emf 3504 bytes
SHA-256: 1eaeb8023fb28b15b658eaaac748a23a278c3511b9af3323ae886f70b3a087bf
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image36.emf 3504 bytes
SHA-256: 9e697928f4bb4398cca8baaa025d8878f05819bce8d690ba646f4a604d295d68
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image37.emf 3364 bytes
SHA-256: dfde6f4a2c55a98eb4bfa50e0d8263db47296fb33ed0db4346ed7993679d4a97
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image38.emf 3504 bytes
SHA-256: 80232ef1b937b50040a9c5311a5b3bd7d99c507e35aeb94aeb62e02bd6aefb5e
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image39.emf 3504 bytes
SHA-256: f1e2eed0935033142177881393e3f70aceebc30401419527c232537bd6254307
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image34.emf 3364 bytes
SHA-256: eebab507c5599e96dca2e275f55423fc876c3b16ccc430e52ea2b6365393ebc0
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image33.emf 3504 bytes
SHA-256: 8db165a68e8919a0dc928aea7a14bf318e2f372d408c9f17e81e1fef94733702
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image32.emf 3504 bytes
SHA-256: 003ea815e5f6f59d036ec46f21264db3bab2f71dfdbdad56a1d6b508adb8bdc7
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image28.emf 3364 bytes
SHA-256: a8cf35fea3f90cce3c48613e3ee37a356c9157b6ed1c4e2573f5bb125c36624a
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image29.emf 3504 bytes
SHA-256: f5de01f3dc2025b7cdf6be522526c5c5d9b4765e34db160c2c3788ea109f20f0
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image30.emf 3504 bytes
SHA-256: 2470db6c99dec9986b069ee0c3e44cfd8d82bdfdf2d832995d6758a8a6f2e807
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image31.emf 3364 bytes
SHA-256: 113d3bb0358331c55b635de076fdab53c6c64b1adf135ded50bb66bc53417e67
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image40.emf 3364 bytes
SHA-256: 0a2baf5070e4e75b5a2d93af0abb464ac0f9458a420fdb11164220bd613309c0
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image41.emf 3504 bytes
SHA-256: bb7c9683c03373cfe97c155847b411536042f5ff0e3c9adeff93384f3e76965a
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image42.emf 3504 bytes
SHA-256: c944d3491585189fbe22b43d0f9010dcb459252594edfc768ff98b3093543d5c
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image50.emf 3504 bytes
SHA-256: 3d097900bb0f1533a8a7ec7ae19915e8865589d29d8855afa8464c2860b265ed
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image51.emf 3504 bytes
SHA-256: 86c5198597c3bcc7cda9ccca81aa6692f51693ab953b250d2f3dcb76cb1db2e9
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image52.emf 3364 bytes
SHA-256: 8bbc298df8f5651f22a0baa5c3d34fcec41a435db38a2736c8c111fd0158bb39
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image53.emf 3504 bytes
SHA-256: 21197c1903a08da7b658284da637cc342b00caf05495a6be948c7ff689754f48
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image49.emf 3364 bytes
SHA-256: b62d094de337371c8a2c8ebcb2a259a821b8bcaa24da1a091b1e0897634758cb
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image48.emf 3504 bytes
SHA-256: 89a9815197b059a1440edf0b71a0090c40f104b8cb69a44ee385a730bcc079cc
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image47.emf 3504 bytes
SHA-256: 3eab83fd94b6e787f425bb74e75e0d8eb11c577889811d732c58adc6c4d898a9
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image43.emf 3364 bytes
SHA-256: e7072a98ab2c74db45b6de234f3d8e1c5d7008a97b74a456ba4f60b6abbedc6d
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image44.emf 3504 bytes
SHA-256: 411440d28aba6acc6e2f3f564412dcbe8d1b246041b5451967c920fe8fe7e57b
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image45.emf 3504 bytes
SHA-256: 4b070b796ad750784b47feff43421e81399dbd932f7e52ead2512cc5a21d7200
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image46.emf 3364 bytes
SHA-256: ddd1d61c52f8ffbec3b2c568b06fb0dfcc53d45b83d5a58b0e90097a4bd89f0c
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image27.emf 3504 bytes
SHA-256: 6cfa477e96682cca5c510c7d325201812033ec1a4ad4393861bc0ca3c3486f0a
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image26.emf 3364 bytes
SHA-256: 195022eb4f1625496e6ad23f186c2e50d5ef9c5fe942415aae4c9a13deab6f69
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image25.emf 3504 bytes
SHA-256: 686a85835716dbed02ce23fc9852dc15c96d810f80125e9ff434fd31d4226963
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image16.emf 4396 bytes
SHA-256: f0b8c8c7b7222efd947d39937f56d734a212cf2ac52beeaaf2dec636cf2146b9

Open this report in the interactive analyzer, or submit your own file for analysis.