MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical heuristic firing for 'OOXML_XLM_MACROSHEET' and the ClamAV detection 'Xls.Downloader.Hancitor03222-9941794-0' strongly indicate this is a malicious Excel 4.0 macro downloader. The embedded XLM macro sheet is likely responsible for fetching and executing a second-stage payload, consistent with the Hancitor family's known behavior.
Heuristics 2
-
ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 4731 bytes |
SHA-256: 92a4417f64192284343fe9e4daeb2b82208640004a7a411f46e6ffc80c5354cc |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � b � % �� & � � @ d � $ � � � ���� , � <
� � , ,
� � S Ao D
� 3 A D
� A D
� A D
� A 3 Ao 2 Ao D
� A D
� A D
� A D
� A D
� A D
� S A x Ao D
� A D
� A D
� A D
� 2 A D
� A D
� A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � ] A D � A D � A D � U A D � A D � A / Ao D � A D � A D � L A k Ao D � # A D � A D � + A D � A % Ao D � A D � + A D � A D � ` A D � + A D � A D � L A D � # A D � A D � & A D � A % Ao \ Ao D � � A k Ao D � � A D � A D � ` A D � + A B � , , ,
: ' AJ @ 0 0 : 0 0 : 0 4 @ B �� ,
, , ,
� v D � A D � A D � A D � A D � A D � A U Ao D � � A D � � A D Ao D � A D � A D � + A D � A D � A D � A D � A T Ao D � A F Ao D � D A D � A D � 4 A D � � A D � > A D � > A C Ao C Ao D � > A D � > A D �
A D � A D � A D � � A : Ao / Ao / Ao 9 Ao 4 Ao D � > A D � ) A 4 Ao 0 Ao D � > A D � ) A D � ) A 2 Ao D � > A 4 Ao D � 7 A C Ao : Ao \ Ao P Ao D � A D � A D � A D � A D � A D � A D Ao D � A D � * A D � A \ Ao j Ao k Ao D � M A D � & A D � A D � A \ Ao j Ao k Ao D � M A D � & A D � A D � A D � A D � A D � M A D � M A B �
, , ,
: ' AJ @ 0 0 : 0 0 : 1 2 @ B �� , ,
� � S Ao D
� 3 A D
� A D
� A D
� A 3 Ao 2 Ao D
� A D
� A D
� A D
� A D
� A D
� S A x Ao D
� A D
� A D
� A D
� 2 A D
� A D
� A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � ] A D � A D � A D � U A D � A D � A / Ao D � . A D �
A D � & A D � A D � A D � A D � A D � A D � A D � z A D �
A % Ao D � d A D � & A D � A D � ( A D � & A D � A D � A D � A D � A D � A D � A % Ao \ Ao D � , A k Ao D � A D � A D � ( A D � & A \ Ao D � , A k Ao D � A D � A D � ( A D � & A D � � A D � A D � A D � A D � U A D
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.