Hancitor — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 9d8cb1204c835715…

MALICIOUS

Office (OOXML) / .DOC

366.5 KB Created: 2020-11-04 10:05:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 52fd82d4e234d5f913fd89a000d20171 SHA-1: 720812694fb50f5e0fffac24b2edaab370539826 SHA-256: 9d8cb1204c8357152aec8acbf14092de7edd88189eaa6f9cfb8b9b8dbff001e8
380 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell

The file contains VBA macros with an AutoOpen function, indicative of malicious intent. Critical heuristics indicate the use of Shell() and CreateObject(), and a high-confidence heuristic points to CVE-2026-21514 exploitation via an embedded OLE object. ClamAV detection as 'Doc.Dropper.Hancitor-9845854-0' strongly suggests the Hancitor family. The primary attack pattern involves exploiting Office vulnerabilities to download and execute a secondary payload.

Heuristics 10

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6aba9d9029cc9b92926e6182b146303e0270887a6bc472b1e8cd8318c16a69a4		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 2485 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
ooxml_oleobject_00.bin
a12e7283688c67e10f0207c0d64f64d4219173a800daf227a11c988aa835cd5c		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 319488 bytes
ooxml_oleobject_00_ole10native_00.bin
0435a5db23d7eda5f8626bc3b7c168939e810c5d4237f4a8a70f5366b9bf2726		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 314668 bytes
vbaProject_00.bin
8b1c2c1837ad501f2ddf2efd1bddb9676cbd845d8eee015a40e7887086d6a0c1		 vba-project OOXML VBA project: word/vbaProject.bin 28672 bytes
Detection
ClamAV: Doc.Dropper.Hancitor-9845854-0
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
emf_00.emf
98b203125dd8d73f2b26042372a745e82781a9fa3c12e33b39ecf09631ad0e18		 ooxml-emf OOXML EMF part: word/media/image2.emf 5416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.