Hancitor Office (OOXML) / .XLSX malware analysis — malicious · 6760680b1220faeb

MALICIOUS

Office (OOXML) / .XLSX

618.8 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300

MD5: 51f8edc8ce88da91c4870e9588ca2bce SHA-1: c76487653c1e0cba08da999577e880a890970060 SHA-256: 6760680b1220faeb2dafa78087690f37b70b94fea5e8d58af2266e4f5186e0f5

180 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains multiple Excel 4.0 macro sheets, which are known to be used for malicious purposes. The macros are designed to reassemble a payload from split formulas and download it from the specified URLs, likely to execute a second-stage malware. The ClamAV detection name 'Xls.Downloader.Hancitor03224-9941795-0' strongly suggests the Hancitor family.

Heuristics 3

Excel 4.0 macro sheet (12 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
XLM payload reassembled from CHAR()/split formulas critical OOXML_XLM_REASSEMBLED_PAYLOAD

An Excel 4.0 macro sheet builds its payload inside the formula token stream by concatenating per-character CHAR() calls and string fragments, so no WinAPI name, shell command, or URL is ever contiguous in the .bin for a literal-bytes scan to find. Reassembling the formulas recovered download/execute API names, LOLBin commands (regsvr32/rundll32/mshta/wmic/powershell), or a payload URL — the de-obfuscated download-and-run kill chain.
ClamAV: Xls.Downloader.Hancitor03224-9941795-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Hancitor03224-9941795-0

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_sheet_00.bin` `d5ef3fca628cdd3b79ea79ef87b64c244d4540ca25a247e6d763ce8e89fb41d8`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet1.bin	419 bytes
`xlm_sheet_01.bin` `24248b76b3896d6a11ed5a7225806af151b7d6bfd4b3307b570f6cc7f4c1e970`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet2.bin	363 bytes
`xlm_sheet_02.bin` `b0005e1dd3f97083ec709cb439cb3fd0f36319b55adfed5150489074ce7d3029`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	3148 bytes
`xlm_sheet_03.bin` `ad3f3049795ad9fb9b2292fc08c39c2a625d0c5e1f7596d5f1e91f3dff5f31b9`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet3.bin	363 bytes
`xlm_sheet_04.bin` `921c73905e3349ee5bd444af1edd0c6b94b072c8442d5c6208893e033a5e6f8f`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet4.bin	363 bytes
`xlm_sheet_05.bin` `73b5b67d1b04c5c6100db84bdb95a2a56491742990f726fdc93c8f157d895302`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet5.bin	2039 bytes
`xlm_sheet_06.bin` `76cffa02c4e1eef20721ebffd7dca300755b97f86dd55abf4eb9254daec16c05`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet6.bin	964 bytes
`xlm_sheet_07.bin` `8083b9fbe02abbaa7524813daea94dc43c6c648f172470fe212fcdb9a429bf34`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet7.bin	650 bytes
`xlm_sheet_08.bin` `2f7df502be105ffb45fff7ec4753701eb3f1d0e7283063859cb623f1d554c2c7`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet8.bin	933 bytes
`xlm_sheet_09.bin` `7a161fb9deba2f79d0f6346dad2f33b76fa76b4899c1a9fcd60ea824b4f9b4f2`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet9.bin	997 bytes
`xlm_sheet_10.bin` `83598336f66d51e6baaa099f05bb43b29afe62e83cdfef5a06a8b772ddefdb1b`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet10.bin	873 bytes
`xlm_sheet_11.bin` `90f85b304382ef724ad8cad98f2cc3963d55071e8416f944516eded86a629729`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/intlsheet11.bin	757 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.