MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The file is an Excel document with a high-confidence heuristic for VBA macros and a high-confidence heuristic for CreateObject calls, indicating malicious macro activity. The VBA script interacts with worksheet cells and modifies shape colors, suggesting it's part of a larger malicious function. While the document body contains what appears to be pricing information, the presence of VBA macros and external relationships to unknown URLs suggests a potential for downloading and executing further malicious content. The unknown reputation of the extracted URLs warrants further investigation.
Heuristics 7
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///G:\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 18 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pim.toyotamh.cz OOXML external relationship
- http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
- http://pim.toyotamh.cz8OOXML external relationship
- http://pim.toyotamh.cz�OOXML external relationship
- https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 156061 bytes |
SHA-256: c551d46aac6fec0e16c4ec331d8c12fce78e89c9f2b458b84acef0649e3f0d92 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub ALBatButtonX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True
Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
Else
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
End If
End Sub
Private Sub TMHLiBatButtonX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
Else
Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
End If
End Sub
Private Sub BezRampyX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
Else
Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
End If
End Sub
Private Sub RampaX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
Else
Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
End If
End Sub
Private Sub TechnikX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
Else
Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
End If
End Sub
Private Sub JerabX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
Else
Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
End If
End Sub
Private Sub OdkupProtiX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
Else
Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
End If
End Sub
Private Sub PreklenovaciPronajemX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
Else
Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
End If
End Sub
Private Sub SpedX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
Else
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 2769920 bytes |
SHA-256: 8f3399141d5c73ee0ba417d77c7e6e9cdce569e58e01075ba1e7a49aefb5bbfd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 4256 bytes |
SHA-256: 2845eedbf64e3a01e7b471308942ad69d935005239db454c9fbdee0a2460f916 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image30.emf | 2984 bytes |
SHA-256: 71e56f6e1d178d830f1877a5d8195872f482e9cd1d67bfab90309cd5d20c6406 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 5072 bytes |
SHA-256: b0365b036d7e5516491bdb2efd5d15ec5ec91d93122600e7695d7fc8659a8c9c |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image39.emf | 2984 bytes |
SHA-256: dfa93d2849d843baa36fa26fe7fe0c76ee27d7870e45110e7fa705851573a264 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 4812 bytes |
SHA-256: 1da378f9b07f21b58e76c06b3fbac63e1fe4fc6512e54ab09ca691b2eaa93bb8 |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 2756 bytes |
SHA-256: 1c64d592ac790cf8da804eadb9988be3077269d96084cadd9210f71c2fa79322 |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 4256 bytes |
SHA-256: 45c42585e3c76cec0e1ffcac6170515bc44bc878482bc8d89da67c57baf4de54 |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: xl/media/image37.emf | 2844 bytes |
SHA-256: 9a0e6d8be57961b020f089a18acf1f72b5e26beb4d460ca62d10b2de4d4d7853 |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 2984 bytes |
SHA-256: dda717fce9829594a84cad8ee11fafffdb36e47c1d3ce0508a6d4b360b8f9a6b |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 4392 bytes |
SHA-256: eecc1327cc11af80c525d561b098bc85b2efac603214f4f592fa64e370552a65 |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 4316 bytes |
SHA-256: 6008dc46a04ee733a8ecf70223d592f112026c47ff14b8ac2e9a6d45a5a6a68e |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: xl/media/image31.emf | 2844 bytes |
SHA-256: a6fcd2f5c82811d8de3d2a1c289fcd454b65e35975397d483b57538a083eec1d |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 2984 bytes |
SHA-256: 2296628b870b5af3e10b182b1237b5a4a8d66fa59745f61a9e096a93bf245a5c |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 4300 bytes |
SHA-256: 1e6efe5ab77960b799da6b0e1d740e081059a88d07475d51e3b326c5b648a6b8 |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 2984 bytes |
SHA-256: 767cbc950c4a4c627abcd125f579066184ad26b568d6fed869a97efc1bbe29c2 |
|||
emf_15.emf |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 4960 bytes |
SHA-256: 9e5f4f0685ef6b65e0e89d659149957db395d3b7579d3cb48f3c0d6cb285c4d5 |
|||
emf_16.emf |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 4256 bytes |
SHA-256: 6e7294755e3b9aa706fbc2bbc97c5691b5133ac031729fd0c3cde6042a52347a |
|||
emf_17.emf |
ooxml-emf | OOXML EMF part: xl/media/image34.emf | 2844 bytes |
SHA-256: 77384acde3f5bd67ecb5ed13bb5bae4ee058addbeeb60aa53d5a250630eb61e9 |
|||
emf_18.emf |
ooxml-emf | OOXML EMF part: xl/media/image36.emf | 2984 bytes |
SHA-256: 7703bf5c5427b259893e086491a19b088422db993f676b7d91c9c8175abbd1c5 |
|||
emf_19.emf |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 2844 bytes |
SHA-256: dfd4d5a92429b9add4898f6efe462070f293012e148164f00c2f595208dbf031 |
|||
emf_20.emf |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 2844 bytes |
SHA-256: 2e037dffa721e15066edcd50effc224c95cc7e703ea2fe7bed7378189662451b |
|||
emf_21.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4960 bytes |
SHA-256: d6ce2501b45e5fa55e6ad3a4b57a28e7481930c02cfa0773e52dce01e34e5aef |
|||
emf_22.emf |
ooxml-emf | OOXML EMF part: xl/media/image32.emf | 2984 bytes |
SHA-256: 79800a144c01b0eacff2b4d79129ace89fa07e46c27d43a0cd72366e6b486238 |
|||
emf_23.emf |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2984 bytes |
SHA-256: f84fa484e95a5aed970eff787712f5723a337fc60eb44c1ab3bd1c1aa1e9012f |
|||
emf_24.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 4316 bytes |
SHA-256: f0aff6722a19eb50764a021f869df4d80535d4f5462ecd229ce073efa85582d4 |
|||
emf_25.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 4388 bytes |
SHA-256: 54d7864683d4204c9765e2c387b2513b0e284b26afc34347052c85a574657eef |
|||
emf_26.emf |
ooxml-emf | OOXML EMF part: xl/media/image38.emf | 2984 bytes |
SHA-256: 57365243a8b060ac0f7792ace2fe04ced7ebe2b10de2082f02ebfe1c8c7ad7b7 |
|||
emf_27.emf |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 2984 bytes |
SHA-256: a7ecebd1a19dcd8d657a273be832b27ad284c3a821a9b54027225d3b16dd8df6 |
|||
emf_28.emf |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 4264 bytes |
SHA-256: cc4a81917dafe4d17aad6c3372bf8c9bef271b3f7821d3bee6831ae9132f9d22 |
|||
emf_29.emf |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 2984 bytes |
SHA-256: 82685e493e4ddf5b5919dddc57c3f4eb5970a75b772ab4c6e4f7170c305a2707 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.