Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b588c55ba7cc9874…

MALICIOUS

Office (OOXML)

3.13 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-07
MD5: f314dc4c818167557f8250c352c42d27 SHA-1: 275baca76ec3e10dab922195d342ddfccd7c06e2 SHA-256: b588c55ba7cc9874354b0f38513cc72a2157701748f4437751678c629b975145
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, indicated by the OOXML_VBA and OLE_VBA_CREATEOBJ heuristics. The macros appear to manipulate sheet data and visual elements, suggesting an interactive lure. The presence of external relationships, such as 'file:///G:\Users\czjaspr\Desktop\Ceny ND a smlouvy\EKA ceníky a kalkulátory\Servisní smlouva FY16 verze_1.4.xlsx', and unknown reputation URLs like 'http://pim.toyotamh.cz' are suspicious and could be used to download further malicious content or redirect the user. The document body content appears to be technical specifications for forklifts, which could serve as a pretext for a phishing or social engineering attack.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink4.xml.rels: file:///G:\Users\czjaspr\Desktop\Ceny ND a smlouvy\EKA ceníky a kalkulátory\Servisní smlouva FY16 verze_1.4.xlsx
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 17 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • http://pim.toyotamh.cz@OOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 156061 bytes
SHA-256: 774b6a5e9b82add600b1ce84d32764bde0282e8fef4be72332668fbe809eebb5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True

                Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


Private Sub TMHLiBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True

                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False

    Else
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    End If
End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
    Else
     
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2987008 bytes
SHA-256: c6bf406eeb375643b70cfec9112642772ce90ff7ed776777886ed8720332e711
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image50.emf 3504 bytes
SHA-256: 63b2fb5f59cb0e744c5042bff90fd453e351f8fdb348ed6963730b15a4d82a04
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image51.emf 3504 bytes
SHA-256: 77093d031681a69038c5a8d8e015f25bab2c3f1823729b12c1b4092e6435fe96
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image52.emf 3364 bytes
SHA-256: fdebac8816c1bb058d7ffce3d73fa2af623781f51a2df6101cb2dd8d087c5e67
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image53.emf 3504 bytes
SHA-256: 96be2bc5e9596c3437cef675707e7baf123af6b163e841dafc075167ea848efd
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image54.emf 3504 bytes
SHA-256: fc927725ae0ce0d447e45339d3f216e93c409c2740af6e4a3945d2a509d0fa34
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image55.emf 3364 bytes
SHA-256: 58a9a393e762658cbdc55eb7aa93b3a72fb98e07b85ade5083e3228f20377d16
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image49.emf 3364 bytes
SHA-256: 329943d054ba9821ea8b4dd94276f283d6297dda78233b8c547af578b5c373dd
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image48.emf 3504 bytes
SHA-256: 42f766dccc2cd5ff24cd8e84dea84d8c35dd85461d856b0143c0e412a875d76a
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image47.emf 3504 bytes
SHA-256: b15e4fe4ba982b521d0ee82eb0781cd4db39aaae150262ef1c75226747484f56
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image41.emf 3504 bytes
SHA-256: a765481f6869f23174a07265108acdd5bcd7b8c2d6d37057dd43dc10ec7eebfe
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image42.emf 3504 bytes
SHA-256: 4fb1aac66d279d4988915f8946888be1782d23c1a704ab0b76f22f92088dbe3d
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image43.emf 3364 bytes
SHA-256: 7e65e626c20b03103a2d7d5dadbdf91b2425b47040c7ce7385eb2bf42196b383
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image44.emf 3504 bytes
SHA-256: 9a072356f8f3b7d8d8504821ae8e61fdb73e2bdd61a85850bd849427815482af
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image45.emf 3504 bytes
SHA-256: 4b5f53d61cb304467b396fa7a3c795e02e403304046a0eaa78e839615d0b2327
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image46.emf 3364 bytes
SHA-256: e95a6ef694bec9885964e04acf30a0f5829be41e991260aa9fd04bf057f5b5e6
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image56.emf 3504 bytes
SHA-256: d4b012ede24ff7eef23ce73ee11e9c8a078eb67cb4a26d805ddd7ccf9133361f
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image57.emf 3504 bytes
SHA-256: cbc1dcf11bea8882c6f9979cc0caa2ea24a5b4f81bba0f71f30cdc937cd7184d
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image58.emf 3364 bytes
SHA-256: 83b7bbcbcea0c4068bd55a77f64660b4a70f43a5a98ba23608232fc9b5f236e7
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image67.emf 3504 bytes
SHA-256: 6f59c4f2ee3b450b62cc1b417a842ec92ec07cbd8512ae99b574f6147518ca3c
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image66.emf 3504 bytes
SHA-256: 11051c0b6922eaa128682f1442f23cbe2354180d54651b0b1948af2504190160
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image65.emf 3364 bytes
SHA-256: fcfac04ce62a703cb2a1ab32859f43e83d015853d93d6a3aa96b95d59fbb2a22
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image59.emf 3504 bytes
SHA-256: 00430964eeb49a12565b23d9fab5b353f1dd919b2301c8503c13737818878711
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image60.emf 3504 bytes
SHA-256: c49308d23536436973e8eed230a220c8deb7ff915cffa76a8a7facdd5cf1a606
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image61.emf 3364 bytes
SHA-256: 5fa8270eff4e554aa5a12e952197702842fcc7097bbd670235df7e6da475c51d
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image62.emf 3504 bytes
SHA-256: 19308e6be04113ff7e5de12402853f50de67ccacb88013ddc6d8403b350396f8
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image63.emf 3504 bytes
SHA-256: 053f2bb4f8d7958c9896354e505e080ec37f216da537e86f51203a2cfe12ca44
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image64.emf 3364 bytes
SHA-256: 45cfe5805e194adab156564d9ba19565d005e279f118032b036e4ea589519a44
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image39.emf 3504 bytes
SHA-256: fd0a98e62eebba02b3e755f1dd59ef75ad6666ce32ea64773d058d5bfe52360a
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image38.emf 3504 bytes
SHA-256: 064aae4003427e5cbc13500ead6eefd8b94ad1f07d7978d35431493185857703
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image20.emf 3504 bytes
SHA-256: 7571cbaae3c0f6680c375074daf0b6b376d608dd6ffdd24231635057e5a4f601