Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e14c303199cbfb98…

MALICIOUS

Office (OOXML)

3.06 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-13
MD5: 72b16909ac20ada20b2d622b9c35a41a SHA-1: cf8d19bcdaa28ccfb131ef74487f65cdc0dd826a SHA-256: e14c303199cbfb981f6f7f6b8d90fb17a9c7b93858764f7a218e5cdb007eff1e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OOXML document containing VBA macros, indicated by multiple heuristic firings including 'OOXML_VBA' and 'OLE_VBA_CREATEOBJ'. The VBA code appears to manipulate sheet data and button states within an Excel workbook, likely to present a deceptive interface to the user. The presence of hidden sheets and external relationships suggests an attempt to conceal malicious activity or load external content. The document body contains pricing and product information, suggesting a lure for financial fraud or phishing.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///G:\Projekty\Nabídka Word\_v3 - Prikryl akcni team\generator\BACKUP\kalkulace_LWE140_test.xlsm
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 18 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • http://pim.toyotamh.cz8OOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 156061 bytes
SHA-256: 918155f9d94967c2c503462ec9f01fb7c295d397677238d91499ed9fe13677f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True

                Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


Private Sub TMHLiBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True

                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False

    Else
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    End If
End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
    Else
     
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2769920 bytes
SHA-256: 102f017d442f33d26b0f22c300d5bb4e8d94c4592683b32a7264b6de4f310d88
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 4256 bytes
SHA-256: b44a42315dafa70444818d80dbd91e7c83907d95f30948415f5b1bedcd9babcd
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image30.emf 2984 bytes
SHA-256: c3d4a5596f42c14d211ba41699b743a7e0c5fcfa5fde5839e9c13056a2bcd827
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 5072 bytes
SHA-256: 916a8e346ed66878ea4a3b49e669ffc2768cc21506ea862690e709a7e9ec5630
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image39.emf 2984 bytes
SHA-256: 34796f52241933b27aa3dc8cfb147234cbc8a43921d41fbc63ca4506c621cb26
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image10.emf 4812 bytes
SHA-256: c5df6ef7c96933161daf619b06855c0865c793ba0b6dab5874628d20847ae74d
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image26.emf 2756 bytes
SHA-256: 3638bc19163f9e642c6267f553590ea65660449a1db2024e5bc51404bf9e7f93
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image11.emf 4256 bytes
SHA-256: 32305013adc2b884abda89309a7436498a9ceed3ace056b1589de055ce48306d
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image37.emf 2844 bytes
SHA-256: 9b193b53986906a89b8030292fc8873d42456951d0711e98ddea818e61024be9
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image20.emf 2984 bytes
SHA-256: a92ea8983916af298c585cdc1eec041b33cc530347483b8f089e5100f45a2248
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image12.emf 4392 bytes
SHA-256: 6ac2c6a4d5a9ab675de83dbe04399ee78f5d0d4af2321fb4e79adc568dfdd1f6
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image13.emf 4316 bytes
SHA-256: 9de5c913c969dc8fb75b31bba99c4c0212e54dd301672208242d1d5c6795dcfa
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image31.emf 2844 bytes
SHA-256: 9ee3e630bbbea95044e338f353f82208b5a3e14052aa41f991ae6ff800c8d31c
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image27.emf 2984 bytes
SHA-256: 0e7ae5f6b8c96742d8d29113d8b22db115e8220872a7f5396b29bfd094be1432
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image14.emf 4300 bytes
SHA-256: 0faa5aa7a4ff01f4acb2b1cad6a96f3076dbca50f9064897bdf4614d7712342e
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image21.emf 2984 bytes
SHA-256: 7fe35cecb958b204d1809d49fa6211135a0e6078e46319161468e53a6477e263
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image15.emf 4960 bytes
SHA-256: fe40b990609c6c2a2a2b3c1545ec5ae2b1ae7ef1b2fe57270e31d84d34f2ef5e
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image16.emf 4256 bytes
SHA-256: ff5aed58b1ca0fbcc36084a1d1d3aa79265b9ef7fe5a7ab2c807e4b6ddec7dbd
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image34.emf 2844 bytes
SHA-256: b860900355ca416faa811906ef83d2de25fe4e354ab840095b8f4cd18d4dcb32
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image36.emf 2984 bytes
SHA-256: 01a23abf84e3bff7df104990693cb874ae50d7744d60c9aeefb61a189972e11a
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image22.emf 2844 bytes
SHA-256: 357cd2a618078c04e7e7e26f746c2b1720bea3572c5ae60614072f184cd181c0
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image28.emf 2844 bytes
SHA-256: faeaa5668d742088b773ef6b916e5314d145096f682f2b40a5ea57470321ded6
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4960 bytes
SHA-256: aae191b1948bebbc645daddcab11f6fb00c187c9da223c975f49e7951a06b476
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image32.emf 2984 bytes
SHA-256: 0689630d391b87b43231798371a0a756559ac5963d6afb6d54d3d30a0994cec0
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image23.emf 2984 bytes
SHA-256: 7a38a246c6c2b534bb3d76fc7608eb9e8237abdeb546dbcd9d29288b6c6f6a25
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 4316 bytes
SHA-256: 5cd69e842acd73341afecf7ba0a222f62bfa918b99352c3dfa97927ef577d8a0
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 4388 bytes
SHA-256: 65378bb27c4d589fea01c412ecfe13acf958279559ed2fa7b31c366f89bb944a
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image38.emf 2984 bytes
SHA-256: 67655f7d9d33878f19110ac494a015c49dd15c46998456702033fdc4c46da2dd
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image29.emf 2984 bytes
SHA-256: 5c4a4174c412f5e4bd3a46d480111c5cdacc24a11a2be5433baa624f062fafa2
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 4264 bytes
SHA-256: 1f97dcdcebc117e9fbfc490613c81976760dc2f53e3bcbbb46e8a9bfbb21e21e
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image24.emf 2984 bytes
SHA-256: 3d763a94c6ab5a52f12792c53cd8292397aaab83c4415b5afcf529eb88cca151

Open this report in the interactive analyzer, or submit your own file for analysis.