MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains multiple Excel 4.0 macro sheets, identified by the OOXML_XLM_MACROSHEET heuristic. These macros are designed to reassemble and execute a payload, as indicated by the OOXML_XLM_REASSEMBLED_PAYLOAD heuristic. The script content reveals attempts to download files from specific paths and an IP address, strongly suggesting a downloader functionality. The ClamAV detection further confirms its malicious nature as Hancitor.
Heuristics 3
-
Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOADAn Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
-
ClamAV: Xls.Downloader.Hancitor03224-9941795-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Hancitor03224-9941795-0
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bind5ef3fca628cdd3b79ea79ef87b64c244d4540ca25a247e6d763ce8e89fb41d8 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin | 419 bytes |
xlm_sheet_01.bin24248b76b3896d6a11ed5a7225806af151b7d6bfd4b3307b570f6cc7f4c1e970 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin | 363 bytes |
xlm_sheet_02.binb0005e1dd3f97083ec709cb439cb3fd0f36319b55adfed5150489074ce7d3029 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 3148 bytes |
xlm_sheet_03.binad3f3049795ad9fb9b2292fc08c39c2a625d0c5e1f7596d5f1e91f3dff5f31b9 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin | 363 bytes |
xlm_sheet_04.bin921c73905e3349ee5bd444af1edd0c6b94b072c8442d5c6208893e033a5e6f8f |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin | 363 bytes |
xlm_sheet_05.bin73b5b67d1b04c5c6100db84bdb95a2a56491742990f726fdc93c8f157d895302 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin | 2039 bytes |
xlm_sheet_06.bin76cffa02c4e1eef20721ebffd7dca300755b97f86dd55abf4eb9254daec16c05 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin | 964 bytes |
xlm_sheet_07.bin8083b9fbe02abbaa7524813daea94dc43c6c648f172470fe212fcdb9a429bf34 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin | 650 bytes |
xlm_sheet_08.bin2f7df502be105ffb45fff7ec4753701eb3f1d0e7283063859cb623f1d554c2c7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin | 933 bytes |
xlm_sheet_09.bin7a161fb9deba2f79d0f6346dad2f33b76fa76b4899c1a9fcd60ea824b4f9b4f2 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin | 997 bytes |
xlm_sheet_10.bin83598336f66d51e6baaa099f05bb43b29afe62e83cdfef5a06a8b772ddefdb1b |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet10.bin | 873 bytes |
xlm_sheet_11.bin90f85b304382ef724ad8cad98f2cc3963d55071e8416f944516eded86a629729 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/intlsheet11.bin | 757 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.