Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c9b76b913a34b1c5…

MALICIOUS

Office (OOXML)

8.81 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-16
MD5: 6b6f17d5bce986a10fd56d78756ac839 SHA-1: eb3ed1dd99e58bfd13c20c3f5a8e34ef77685c9d SHA-256: c9b76b913a34b1c5c4577a138e244d4676d33726af3eb642c406d53788e402ab
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of VBA macros, specifically the use of `CreateObject`, indicates a high likelihood of malicious intent. The macros appear to interact with spreadsheet cells and potentially external links, suggesting an attempt to gather information or download further payloads. The embedded URLs, while some are marked as benign, include suspicious domains that warrant investigation.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\CZFS01\public\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 78 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • http://pim.toyotamh.cz8OOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 173056 bytes
SHA-256: 1af8fda369c5535c0c8f13e95520541d89cf992089548a8e111a001ab7c2f08b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True

  '              Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
    '            ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


'Private Sub TMHLiBatButtonX_Click()
'    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
'        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
'        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'
'                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
''                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
'
'    Else
'        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
'        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
'    End If
'End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2989568 bytes
SHA-256: 45aa7b9ade6f9bbc1e225853d11dc5a933a2a43eb13c759b4f6394041cb87d9b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image26.emf 2756 bytes
SHA-256: ded1b2310b3a80e79eb3d62eb9ea5a024af836f44d4de713bbc5d0b13c6b64d3
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 4264 bytes
SHA-256: 38974e42473ba98e99d2ded742733f39786c27030b83ee48b4dc99a7673d3bf2
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image5.emf 4860 bytes
SHA-256: 7a5b4e96624345f3644aa80fc7af4e5ec9b9c72b957b7960994b225874251b9d
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image6.emf 4256 bytes
SHA-256: e1db41204e3a1c4f3f90526ff8c48ff75a03e80c5edc8e9b612555846b48e3bc
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image22.emf 2844 bytes
SHA-256: ec993a1406c7fff664afd2c4c10ea536bbbcf529e92a753bb66dcd9de6b895dd
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image7.emf 5460 bytes
SHA-256: 743b12454d8e4a4f5615f357e391e27210588f271b1a4c3f02c86d4c96576330
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 4256 bytes
SHA-256: 31e1f0506628579c271149228a072480366259f0f8283c933008fe681fcb4275
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image28.emf 2844 bytes
SHA-256: 5b71470f5f51196412dd63b87a6b94589ead437e98034cb86295a5465fa153ed
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 5072 bytes
SHA-256: da26c49a7d729814201413a4df594b76274344f395cf9364f0deae68b139d93c
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image10.emf 4812 bytes
SHA-256: 7d017728dfbacea60fa7288a03d0c2bb1d85a50c5f4e56012001575c4807f36b
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image11.emf 4256 bytes
SHA-256: 16b854a54fe09dbce47fde2d8f999ff26edfd29e623138a693c57375ad6016d4
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image25.emf 2984 bytes
SHA-256: e14e6325541582a60cbcbb08ebc5f1d8c2ae5a629765ee1d0a3cc51c4af9cb3a
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image23.emf 2984 bytes
SHA-256: 3639fa1a878301b1d2839a13f0be29b2960754ed078ee916fece561cec5357ca
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image12.emf 4392 bytes
SHA-256: f27b411d15bf0917d3c6e8bd01863b5562389d78712e266ceded7270a6fd679b
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image13.emf 4316 bytes
SHA-256: 24de0e116e9946e38c313e93e86bcc1bdbdeaa1f313a0ea3a2bfba9b23a1076d
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image20.emf 2984 bytes
SHA-256: f5c27655728c5341fd68711c656a882347f1578af9e7f640e3b65e54225dd781
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image29.emf 2984 bytes
SHA-256: 05ef7daa6dceb78087d0ec070689d5fdf04f86449cdde865f0e616c2066914cf
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image14.emf 4300 bytes
SHA-256: 85958fa7176789bbc258a5d1fc0c0521eeb74fad000ab8edc3c2423cc2efb3d5
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image27.emf 2984 bytes
SHA-256: 3a6620b4c3a24887ba6d1d0dc73e92d2091ecda5fc1e1d8d85905fe2f694ccd6
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image15.emf 4960 bytes
SHA-256: f342c15f6f74bd5644da43f1a5f4e43864099dfc912fd9d3132f5ecad5d124d9
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image21.emf 2984 bytes
SHA-256: c394cea3981f6fdf88322c7aae031a90acf9a71322dbf7db9153ce134ed3f9b7
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4960 bytes
SHA-256: 7b19b24ce96892d79b5203120968741307e1ae5a016791e26699c72aab2ea9ce
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image16.emf 4256 bytes
SHA-256: d1a7c9af8008944a58eba5b44d6f79df61478b734259413ec3bd3e23ac7270b8
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 4316 bytes
SHA-256: a53bb42a58448479846aba9202a492c000f294d538b6e65b4aa0ab3d1f1f2b36
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image24.emf 2984 bytes
SHA-256: 98349db6d5ac970dbf8a330e6f72f8bfd5f8af28e739913efe822caf45005166
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 4388 bytes
SHA-256: 2d04aabaa43931e95bb0f94ccee428e472e9647048c1a49683fbc1e40f348a0e
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image30.emf 2984 bytes
SHA-256: cd0241599f0593f148e3b211edb7b7b1ee989063335d91d317e2a4acc8b45dc5
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image31.emf 2844 bytes
SHA-256: cfee991af281ea5f3ec29055515eafd090825422b0e435b6b46a2438547294d3
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image32.emf 2984 bytes
SHA-256: 739a5be849f9d34bb25a1f91ff59e3364a69bbf82aae59cd0db38540c3f7b982
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image33.emf 2984 bytes
SHA-256: cde48d68948fcde9888b6f8939c3171990d8d61619ca558deffbbfd773fb379d