MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel document contains VBA macros, evidenced by multiple heuristic firings including 'OOXML_VBA' and 'OLE_VBA_CREATEOBJ'. The presence of 'OOXML_EXTERNAL_REL' suggests the document may attempt to interact with external resources or files. While the VBA code itself appears to be primarily related to UI elements and lacks clear malicious functionality in the provided excerpt, the overall structure and heuristic firings indicate a potential for malicious activity, possibly as a spearphishing attachment.
Heuristics 7
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///\\CZFS01\public\Users\czjifra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\EKRQQAVT\
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 78 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pim.toyotamh.cz OOXML external relationship
- http://t-sight.toyota-forklifts.eu/company/tmhcz/sales/sales-dep/PracovnOOXML external relationship
- http://pim.toyotamh.cz@OOXML external relationship
- http://pim.toyotamh.cz�OOXML external relationship
- https://www.cnb.cz/cs/financni-trhy/devizovy-trh/kurzy-devizoveho-trhu/kurzy-devizoveho-trhu/denni_kurz.txt?date=DD.MM.RRRROOXML external relationship
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 179008 bytes |
SHA-256: e784c2ec73851cb0f4d8d2671bc4134f50c112e4e08664ce97ca49af8433557a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub ALBatButtonX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False Then
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = True
' Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
' ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
Else
Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
End If
End Sub
'Private Sub TMHLiBatButtonX_Click()
' If ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False Then
' Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(0, 208, 0)
' ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = True
'
' Shapes("ALBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
'' ThisWorkbook.Sheets("1. KALKULACE").Range("A73") = False
'
' Else
' Shapes("TMHLiBatButtonX").Fill.ForeColor.RGB = RGB(192, 192, 192)
' ThisWorkbook.Sheets("1. KALKULACE").Range("A74") = False
' End If
'End Sub
Private Sub BezRampyX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False Then
Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = True
Else
Shapes("BezRampyX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A1") = False
End If
End Sub
Private Sub RampaX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False Then
Shapes("RampaX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = True
Else
Shapes("RampaX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A2") = False
End If
End Sub
Private Sub TechnikX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False Then
Shapes("TechnikX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = True
Else
Shapes("TechnikX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A3") = False
End If
End Sub
Private Sub JerabX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False Then
Shapes("JerabX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = True
Else
Shapes("JerabX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A4") = False
End If
End Sub
Private Sub OdkupProtiX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False Then
Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = True
Else
Shapes("OdkupProtiX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A8") = False
End If
End Sub
Private Sub PreklenovaciPronajemX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False Then
Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = True
Else
Shapes("PreklenovaciPronajemX").Fill.ForeColor.RGB = RGB(192, 192, 192)
ThisWorkbook.Sheets("1. KALKULACE").Range("A9") = False
End If
End Sub
Private Sub SpedX_Click()
If ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = False Then
Shapes("SpedX").Fill.ForeColor.RGB = RGB(0, 208, 0)
ThisWorkbook.Sheets("1. KALKULACE").Range("A13") = True
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 3078656 bytes |
SHA-256: a6c0ad9a114b5c25fc6c6d74dc9f6aae93cf97e39946bf6a388939ee71f98686 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image62.emf | 2984 bytes |
SHA-256: 47a6fdab6340a0ee27e4c7a84d2f008b0113ba1152a0373bce585980cceb5efe |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image61.emf | 2756 bytes |
SHA-256: 206bb9f9f581e49fe30d4f0651e3c82666e95f87768f8b617f046e74c109bba9 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image60.emf | 2984 bytes |
SHA-256: a263119d4c02af73038210d27b5b301da662d5ce991f4a55f7eeb1e1ad5a5219 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image59.emf | 2844 bytes |
SHA-256: 85c9cc0c41ef7801ad7edf261b00700656065778f4a33acb0a3a34ed921a86b5 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: xl/media/image63.emf | 2984 bytes |
SHA-256: 386d5dc712d172542264ae3e2a3621fa728e240ab0692cc65e6abeb67ffe035c |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: xl/media/image64.emf | 2984 bytes |
SHA-256: 94ea8cbd2b3ae98cc59ca9a7b3e2e528dde7fcb54afe9f9e41e4986cd242745f |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: xl/media/image65.emf | 2844 bytes |
SHA-256: ef8091d340a3d181f4a9b4a7949fd4390fe6fc64dd38c83a03c9cb2f8a881e4f |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: xl/media/image67.emf | 2984 bytes |
SHA-256: b1db65f7dcc3a492f95f83a72669179fa8b4f0f9a505575f3ea8c0315305b83e |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: xl/media/image66.emf | 2984 bytes |
SHA-256: 032b42f12b5eaba96067ceade593361fd361e033de65580aa4d579ba8889cde9 |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: xl/media/image58.emf | 2984 bytes |
SHA-256: 01134c7319c848fcfe708712104006a914c67ee3aab0375aced62d33863a6afb |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: xl/media/image57.emf | 2984 bytes |
SHA-256: 3b9c0a9d02f64c3ea4376738be177a78557d537f3df13ffed4c71872026cb062 |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: xl/media/image56.emf | 2844 bytes |
SHA-256: fe10f179e3a44dfd4bde22e86f63ead959abfc5170656d6b00d8bd186d523e41 |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: xl/media/image48.emf | 2984 bytes |
SHA-256: 368684f8edee0bc1d95c36263b2c3ddca65793239cfba918f473e39419ecb45d |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: xl/media/image47.emf | 2844 bytes |
SHA-256: 1aa77771dbde5945551abc5da9c8061b8c868e81f9cb455fc09781210a557e77 |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: xl/media/image46.emf | 2984 bytes |
SHA-256: 459f5c5bd8299cc95a7ea7ed05fbae2e291ccd556540aea3aaabdf19302e14d6 |
|||
emf_15.emf |
ooxml-emf | OOXML EMF part: xl/media/image45.emf | 2984 bytes |
SHA-256: 3263cbf19b5822933cbf4f36f63d1daf9fe2d9a91078f926b87274b8a9e807b2 |
|||
emf_16.emf |
ooxml-emf | OOXML EMF part: xl/media/image49.emf | 2984 bytes |
SHA-256: a60afeec09115169868140895fab1f463599f2e67fa011b0825c29fbeb834b5f |
|||
emf_17.emf |
ooxml-emf | OOXML EMF part: xl/media/image50.emf | 2844 bytes |
SHA-256: 9e3ccf2fa5eb04ee4910f2f2cca7fb76b94fae14bc2663dae59ff07d809f8f24 |
|||
emf_18.emf |
ooxml-emf | OOXML EMF part: xl/media/image51.emf | 2984 bytes |
SHA-256: a41562d270e7649305ae6dcee5161a2eb6eeaa566eca89a59e6602d30f649c06 |
|||
emf_19.emf |
ooxml-emf | OOXML EMF part: xl/media/image55.emf | 2984 bytes |
SHA-256: daaf757b18cfc0becac72d0e475d4fc8ec53fb4a07dafbb9f45728805dcc75cd |
|||
emf_20.emf |
ooxml-emf | OOXML EMF part: xl/media/image54.emf | 2984 bytes |
SHA-256: 55c8c9845050608948428b3dd5d0ccd43ef1c729c5d36c9c2f3753974180e9c1 |
|||
emf_21.emf |
ooxml-emf | OOXML EMF part: xl/media/image53.emf | 2844 bytes |
SHA-256: 1c1f590b073a4ba419cbdd6f0bcfd08c93ef236c6ee9bca1be3ad8c00c36ea38 |
|||
emf_22.emf |
ooxml-emf | OOXML EMF part: xl/media/image52.emf | 2984 bytes |
SHA-256: 04f933818c73e27530ba2a20ac4c1a00338c941fd4f97592df39099ffe91b44b |
|||
emf_23.emf |
ooxml-emf | OOXML EMF part: xl/media/image44.emf | 2844 bytes |
SHA-256: c25292ce24c67693d29faa4feca1639e30bad47d78db3e168819922d82a8ef87 |
|||
emf_24.emf |
ooxml-emf | OOXML EMF part: xl/media/image43.emf | 2984 bytes |
SHA-256: acbedebc6d183b82f2ec8119e60c86c1b87cde5838574eb7e6e3ed030e4f976c |
|||
emf_25.emf |
ooxml-emf | OOXML EMF part: xl/media/image42.emf | 2984 bytes |
SHA-256: ec42c0e3c7a9391ead03a3fa75b0cbbda8c9d4c93f9c9032f866fdf5685a6d4f |
|||
emf_26.emf |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 5460 bytes |
SHA-256: 386dab88f99110c16997e23a5046ee5a03adafd961cef534b46ac6f99b26c248 |
|||
emf_27.emf |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 4256 bytes |
SHA-256: a5a1d3b02d17dec4d775dc8041a63f05f5bec736e3d363e233b54d073569f0d4 |
|||
emf_28.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 5072 bytes |
SHA-256: 0ed6d5e7e93f5e64609712cdf8d7837533d45ad8458657041ce1019ffaa5016d |
|||
emf_29.emf |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 4812 bytes |
SHA-256: 9fdcccaca68945e5eaa0aa2d49be665c992d2ee9c81ead92e013f8657ce3e65e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.