MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file was identified as an Excel 4.0 macro sheet, a common technique for delivering malware. ClamAV detection confirms it as Hancitor, a known downloader. The macro sheet likely contains obfuscated commands to fetch and execute a malicious payload from a remote source.
Heuristics 2
-
ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 4990 bytes |
SHA-256: c3c0afbaab2b77fa599a9ccc7eebfa88ade222f104a3d8586ed8e4ded86fecba |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � b � % �� & � � @ d � $ � � � & , � < �� � � , , , , , ,
� � D
� b A D
� A D
� A D
� A D
� A D
� j A D
� < A D
� � A D
� A D
� A D
� A D
� A D
� 6 A D
� � A D
� A D
� A D
� , A D
� A D
� A D
� H A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � x A D � F A D � A D � A / Ao D � � A D �
A D � A k Ao D � V A D � A D � A D �
A % Ao D � A D � A D � A D � X A D � A D � A D � A D � V A D � A D � A D � A % Ao \ Ao D � A v Ao D � # A D � A D � A B � , , ,
: ' AJ @ 0 0 : 0 0 : 0 4 @ B �� ,
, , ,
� h D � A D � A D � A D � e A D �
A D � % A U Ao D � � A L Ao D Ao D � A D � A D � A D � A D � A D � A D � A D � 2 A D � A D � � A D � A D � A D � A A Ao J Ao J Ao D � ' A D � ' A J Ao J Ao D �
A D � A D � A D � ) A : Ao / Ao / Ao D � � A 9 Ao 4 Ao D � * A 7 Ao 6 Ao D � * A D � � A D � � A 5 Ao D � * A 9 Ao 9 Ao C Ao : Ao \ Ao D � � A D � A D � A D � A D � A D � A D �
A D Ao D � A D � A D � A \ Ao D � A D � a A D � A D � A D � $ A \ Ao D � A D � a A D � A D � A D � $ A D � A D � ' A D � { A D � { A B �
, , ,
: ' AJ @ 0 0 : 0 0 : 1 2 @ B �� , ,
�
? D
� b A D
� A D
� A D
� A D
� A D
� j A D
� < A D
� � A D
� A D
� A D
� A D
� A D
� 6 A D
� � A D
� A D
� A D
� , A D
� A D
� A D
� H A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � x A D � F A D � A D � A / Ao D � 3 A D � A D � A D � A D � A D � A D � A D � A D � A 2 Ao D � A % Ao D � � A D � A D �
A D � v A D � A D � A D � A D � A D � A D � A D � A % Ao \ Ao D � A D � ! A D � � A D � S A D � A \ Ao D � A D � ! A D
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.