Hancitor Office (OOXML) malware analysis — malicious · 26a6d15bb1693907

MALICIOUS

Office (OOXML)

303.4 KB Created: 2021-10-12 17:10:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23

MD5: 230bf757fee0a8e598138861837b0ecb SHA-1: 9901a0aad2f643a9065d009c92cc2885d6a0c31d SHA-256: 26a6d15bb16939076bf726e4e573b2519f7fa222c35a3b5361d9c208a10b284b

120 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file was identified as an Excel 4.0 macro sheet, a common technique for delivering malware. ClamAV detection confirms it as Hancitor, a known downloader. The macro sheet likely contains obfuscated commands to fetch and execute a malicious payload from a remote source.

Heuristics 2

ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4990 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4990 bytes
SHA-256: `c3c0afbaab2b77fa599a9ccc7eebfa88ade222f104a3d8586ed8e4ded86fecba`
Preview script First 1,000 lines of the extracted script � � � @ �� b � % �� & � � @ d � $ � � � & , � < �� , , , , , , � � D � b A D � A D � A D � A D � A D � j A D � < A D � � A D � A D � A D � A D � A D � 6 A D � � A D � A D � A D � , A D � A D � A D � H A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � x A D � F A D � A D � A / Ao D � � A D � A D � A k Ao D � V A D � A D � A D � A % Ao D � A D � A D � A D � X A D � A D � A D � A D � V A D � A D � A D � A % Ao \ Ao D � A v Ao D � # A D � A D � A B � , , , : ' AJ @ 0 0 : 0 0 : 0 4 @ B �� , , , , � h D � A D � A D � A D � e A D � A D � % A U Ao D � � A L Ao D Ao D � A D � A D � A D � A D � A D � A D � A D � 2 A D � A D � � A D � A D � A D � A A Ao J Ao J Ao D � ' A D � ' A J Ao J Ao D � A D � A D � A D � ) A : Ao / Ao / Ao D � � A 9 Ao 4 Ao D � * A 7 Ao 6 Ao D � * A D � � A D � � A 5 Ao D � * A 9 Ao 9 Ao C Ao : Ao \ Ao D � � A D � A D � A D � A D � A D � A D � A D Ao D � A D � A D � A \ Ao D � A D � a A D � A D � A D � $ A \ Ao D � A D � a A D � A D � A D � $ A D � A D � ' A D � { A D � { A B � , , , : ' AJ @ 0 0 : 0 0 : 1 2 @ B �� , , � ? D � b A D � A D � A D � A D � A D � j A D � < A D � � A D � A D � A D � A D � A D � 6 A D � � A D � A D � A D � , A D � A D � A D � H A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � x A D � F A D � A D � A / Ao D � 3 A D � A D � A D � A D � A D � A D � A D � A D � A 2 Ao D � A % Ao D � � A D � A D � A D � v A D � A D � A D � A D � A D � A D � A D � A % Ao \ Ao D � A D � ! A D � � A D � S A D � A \ Ao D � A D � ! A D ... (truncated)

SHA-256: c3c0afbaab2b77fa599a9ccc7eebfa88ade222f104a3d8586ed8e4ded86fecba

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      b           �  %      ��                  & �  �             @   d           � $                                    �  �  �   &    ,     �  <         ��        �  �            ,                          ,                          ,                          ,                          ,                                        ,                
�            �   D
    � b    A  D
    �      A   D
    �      A   D
    �      A   D
    �      A   D
    � j    A   D
    � <    A   D
    � �    A  D
    �      A   D
    �      A   D
    �      A   D
    �      A   D
    � 6    A   D
    � �    A   D
    �      A   D
    �      A   D
    � ,    A   D
    �      A   D
    �      A   D
    � H    A    J Ao  J Ao   C Ao   C Ao   C Ao   C Ao   J Ao   J Ao     D     �      A  D     �      A   D     �      A   D     � x    A   D     � F    A  D     �      A   D     � 	    A    / Ao D     � �    A   D     � 
    A   D     �      A    k Ao  D     � V    A   D     �      A   D     �      A   D     � 
    A    % Ao  D     �      A   D     �      A   D     �      A   D     � X    A   D     �      A   D     �      A   D     �      A   D     � V    A   D     �      A   D     �      A   D     �      A    % Ao   \ Ao  D     �      A    v Ao  D     � #    A   D     �      A   D     �      A         B	�               ,                                        ,                                        ,                
:           '       AJ  @     0 0 : 0 0 : 0 4  @   B ��      	       ,                                
       ,                                        ,                                        ,                
�            h   D     �      A  D     �      A   D     �      A   D     � e    A   D     � 
    A   D     � %    A    U Ao D     � �    A    L Ao   D Ao  D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     � 2    A   D     �      A   D     � �    A   D     �      A   D     �      A   D     �      A    A Ao   J Ao  J Ao  D	    � '    A   D	    � '    A    J Ao   J Ao     D     � 
    A  D     �      A   D     �      A   D     � )    A    : Ao   / Ao   / Ao  D     � �    A    9 Ao   4 Ao  D     � *    A    7 Ao   6 Ao  D     � *    A   D     � �    A   D     � �    A    5 Ao  D     � *    A    9 Ao   9 Ao   C Ao  : Ao   \ Ao  D     � �    A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     � 
    A    D Ao  D     �      A   D     �      A   D     �      A    \ Ao  D     �      A   D     � a    A   D     �      A   D     �      A   D     � $    A    \ Ao  D     �      A   D     � a    A   D     �      A   D     �      A   D     � $    A   D     �      A   D     � '    A   D     � {    A   D     � {    A         B �       
       ,                                        ,                                        ,                
:           '       AJ  @     0 0 : 0 0 : 1 2  @   B ��              ,                                        ,                
�
           ?   D
    � b    A  D
    �      A   D
    �      A   D
    �      A   D
    �      A   D
    � j    A   D
    � <    A   D
    � �    A  D
    �      A   D
    �      A   D
    �      A   D
    �      A   D
    � 6    A   D
    � �    A   D
    �      A   D
    �      A   D
    � ,    A   D
    �      A   D
    �      A   D
    � H    A    J Ao  J Ao   C Ao   C Ao   C Ao   C Ao   J Ao   J Ao     D     �      A  D     �      A   D     �      A   D     � x    A   D     � F    A  D     �      A   D     � 	    A    / Ao D     � 3    A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A    2 Ao  D     �      A    % Ao  D     � �    A   D     �      A   D     � 
    A   D     � v    A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A    % Ao   \ Ao  D     �      A   D     � !    A   D     � �    A   D     � S    A   D     �      A    \ Ao  D     �      A   D     � !    A   D   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.