Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e50c75116d7aebc4…

MALICIOUS

Office (OOXML)

2.41 MB Created: 2008-04-04 10:28:53 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-06-20
MD5: 4b86c047975c80b07ab6b57b3aa933de SHA-1: 4f9286d25ae2b7f79c962ebb32510c6bf13ad464 SHA-256: e50c75116d7aebc49341377a1e5ab15628ed954badbc138c5881c9e0567efbc2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1137.001 Office Application Native API

The OOXML file contains VBA macros, indicated by the 'OOXML_VBA' and 'OLE_VBA_CREATEOBJ' heuristics. The macros appear to control interactive elements within the document, suggesting an attempt to engage the user and potentially trick them into enabling further malicious activity. The presence of an external relationship URL points to a potential download or execution vector.

Heuristics 7

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///G:\Users\czjifra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\EKRQQAVT\VersionHistor
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 16 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pim.toyotamh.cz OOXML external relationship
    • http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
    • https://github.com/VBA-tools/VBA-JSONOOXML external relationship
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspOOXML external relationship
    • https://github.com/VBA-tools/VBA-UtcConverterOOXML external relationship
    • http://pim.toyotamh.cz�OOXML external relationship
    • http://pim.toyotamh.cz@OOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship
    • https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/index.html?date=DD.MM.RRRROOXML external relationship
    • http://www.cnb.cz/cs/financni_trhy/devizovy_trh/kurzy_devizoveho_trhu/denni_kurz.jsp?date=DD.MM.RRRROOXML external relationship
    • http://www.opensource.org/licenses/mit-license.phpOOXML external relationship
    • http://code.google.com/p/vba-json/OOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspxOOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspxOOXML external relationship
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspxOOXML external relationship
    • http://support.microsoft.com/kb/269370OOXML external relationship
    • http://www.ietf.org/rfc/rfc4627.txtOOXML external relationship
    • https://support.microsoft.com/en-us/kb/272138OOXML external relationship
    • http://www.opensource.org/licenses/mit-license.php)�OOXML external relationship

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 164871 bytes
SHA-256: ff9bf86bca5968e0050169a6982eadc2a6c18074c5c14da38d3a996180ed41c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private Sub ALBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True
'Off the other button
                Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    Else
        Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
    End If
End Sub


Private Sub TMHLiBatButtonX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'Off the other button
                Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
                ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False

    Else
        Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
    End If
End Sub

Private Sub BezRampyX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
    Else
        Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
    End If
End Sub

Private Sub RampaX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
    Else
        Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
    End If
End Sub

Private Sub TechnikX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
    Else
        Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
    End If
End Sub

Private Sub JerabX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
    Else
        Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
    End If
End Sub

Private Sub OdkupProtiX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
    Else
        Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
    End If
End Sub

Private Sub PreklenovaciPronajemX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
    Else
        Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
        ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
    End If
End Sub

Private Sub SpedX_Click()
    If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
        Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
        ThisWorkbook.Sheets("1. KALKUL
... (truncated)
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 2874368 bytes
SHA-256: 351c27ca60044088a66269d8e2530f945566f4723b5222844e870edc5f9eab7c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image20.emf 2984 bytes
SHA-256: fd025589460011b7c36433abf280bd08eb50dd0b96e7e2569020c73d74b9afb3
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image21.emf 2984 bytes
SHA-256: 83b8f719f81f8fae7df5153abe62c6292766d65da9bf01868ba2c67621dbfa16
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image22.emf 2844 bytes
SHA-256: d3bd808d173aabb22c15670010b0ced2a37894557a2ba21189c3bca6dd178f56
emf_03.emf ooxml-emf OOXML EMF part: xl/media/image23.emf 2984 bytes
SHA-256: d43ebaa3f2229324f51901af7ad113cbf73c3a6d14469a3f778aaea0b57b3bbf
emf_04.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4960 bytes
SHA-256: ae24d2bc93fbdd9ec8f2588496b97b8a231a42e030ed8062364ffe5d842eb738
emf_05.emf ooxml-emf OOXML EMF part: xl/media/image24.emf 2984 bytes
SHA-256: 6bca3e8c00ed81f7a174227b8c11ded9d1e0f289f027e10e960ddfdc99e6d51d
emf_06.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 4316 bytes
SHA-256: f5b35ec5bb509397d25e0a5cebb584bdfec5eb316a9bf9434f39cbbd3fe047eb
emf_07.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 4388 bytes
SHA-256: 96d18c6150ba62a324bec792718f7c9235bc45cd33fee60fd00800b70056d397
emf_08.emf ooxml-emf OOXML EMF part: xl/media/image25.emf 2984 bytes
SHA-256: f45f03c3faa2a6e8f7f04db4847cbe89a05481303d48ea68e298bb0ed1e50b50
emf_09.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 4264 bytes
SHA-256: e0842be624ecb60f468218cd85921d96dc16fc1174c0b72e706c9aee123a1cb8
emf_10.emf ooxml-emf OOXML EMF part: xl/media/image26.emf 2756 bytes
SHA-256: 944b7c929dac2684186baeb960a757eeb03b775b4174250fb3c5c53ca8d1f57c
emf_11.emf ooxml-emf OOXML EMF part: xl/media/image5.emf 4860 bytes
SHA-256: 7d8b244206d3048095f4f79798adb289cf7c52f881deeeb25f679d45e3256051
emf_12.emf ooxml-emf OOXML EMF part: xl/media/image6.emf 4256 bytes
SHA-256: 8c68ff09e4aef0eb4e4238b1b04a1c719ce3475df66f3d764c323dc8e768f61f
emf_13.emf ooxml-emf OOXML EMF part: xl/media/image27.emf 2984 bytes
SHA-256: 4370e61f397a2a490534759a485afb91795707dcd7bba53f10c9efcff942413e
emf_14.emf ooxml-emf OOXML EMF part: xl/media/image7.emf 5460 bytes
SHA-256: 082d272a4226a93df47bb4455b85cbfedb2d670f29963aaf57d9935c40e01a4d
emf_15.emf ooxml-emf OOXML EMF part: xl/media/image28.emf 2844 bytes
SHA-256: ff907a6e399add00b1d574c4b6d0ccfbd6125a1670898e33931200027459c8c8
emf_16.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 4256 bytes
SHA-256: 134df45c6919131b591ef953f63648d804935c05a37a771bd9a61ec68f3915d2
emf_17.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 5072 bytes
SHA-256: e6c1f67f409d48f2fc21e0a047f47984ac52e0ec32faf2f60318502c600e6821
emf_18.emf ooxml-emf OOXML EMF part: xl/media/image29.emf 2984 bytes
SHA-256: 4c34a537c7b074d233aab65a9e2add910fc541f1db29b044a90a9cee9a818131
emf_19.emf ooxml-emf OOXML EMF part: xl/media/image10.emf 4812 bytes
SHA-256: 4263c1fe9ecc84d053ed027bd6b2ce586eeb63a16bccbc0bcde54d451b426458
emf_20.emf ooxml-emf OOXML EMF part: xl/media/image30.emf 2984 bytes
SHA-256: a76426f607ea5fa8ac0fbc5bf8d158e391b85645d5353cc5718d4d9b40697fd1
emf_21.emf ooxml-emf OOXML EMF part: xl/media/image11.emf 4256 bytes
SHA-256: 6c1e5f6ee9a2c0571b3cee89edafc479d68b6af04f9abf260d8afd2ddf38e2d8
emf_22.emf ooxml-emf OOXML EMF part: xl/media/image12.emf 4392 bytes
SHA-256: 640a9898aa370f01979203e6ee7c8dae42b961805cf1ac044fc7983b5c0d366f
emf_23.emf ooxml-emf OOXML EMF part: xl/media/image31.emf 2844 bytes
SHA-256: 61dcd891f38a5a6e72d8df265196955ba64f5caa6f6729439fc4a817c9ac59f9
emf_24.emf ooxml-emf OOXML EMF part: xl/media/image13.emf 4316 bytes
SHA-256: d312746548358b4bba494d4d7165b79a9536eab965081ed5c85009be64f9d98f
emf_25.emf ooxml-emf OOXML EMF part: xl/media/image32.emf 2984 bytes
SHA-256: 9c5f14b2ffd233d46eaa9ede4a2a08a8ef8f6ed943af5dec74d7eb516752f2d5
emf_26.emf ooxml-emf OOXML EMF part: xl/media/image33.emf 2984 bytes
SHA-256: c18c805dd79e5a088d2995748317973158fa55b2b435874d3e57652cb68f045b
emf_27.emf ooxml-emf OOXML EMF part: xl/media/image14.emf 4300 bytes
SHA-256: 0e6789a2da88b81702596e73155288006fb640b8b1325527dd704f5ee7ff9b90
emf_28.emf ooxml-emf OOXML EMF part: xl/media/image15.emf 4960 bytes
SHA-256: 6bb818a697826b018829e02e5be8105e2cac167ec75d20db34b70de9a7539534
emf_29.emf ooxml-emf OOXML EMF part: xl/media/image34.emf 2844 bytes
SHA-256: 2124d09e0650d1245b81f6190415b6b17974110bd4f129b33c4257e00d5c2afd