MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file was identified as malicious by ClamAV with the signature Xls.Downloader.Hancitor03222-9941794-0, indicating it belongs to the Hancitor family. Static analysis revealed the presence of Excel 4.0 macros, a common technique for initial execution and payload delivery. These macros are likely responsible for downloading and executing a secondary stage, consistent with Hancitor's typical behavior.
Heuristics 2
-
ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 5257 bytes |
SHA-256: 5928da5f6085cb4613fae3ba9475e7ae01c0413a6d961b0b1ace72dd123cb7c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � � % �� & � � @ d � $ # # # � � � ���� , � < m
<
< m
< $ � � , , , , , ,
� � D
� j A D
� A D
� A D
� Y A D
� Y A 3 Ao 2 Ao S Ao D
� A D
� A D
� ( A D
� ( A E Ao x Ao D
� A D
� � A D
�
A D
� A D
� A D
� � A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � A D � A D � q A D � A / Ao D � A D � A D � a A D � � A D � A D � A D � A D � A % Ao D � ` A D � A D � A D � M A D � A D � A D � a A D � A D � A D � A D � A % Ao \ Ao D � + A D � > A D � A D � A D � A D � " A B � $ �B � @ , ,
,
J 7 AJ @ 0 0 : 0 0 : 0 4 @ B ��$ �B � @ ,
, , ,
� v D � ' A D � O A D � K A D � � A D � A D � A U Ao R Ao L Ao D Ao D � A D � # A D � A D � A D � A D �
A D � A D � � A D � A D � � A D � A D � A D � A D � � A J Ao J Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � � A : Ao / Ao / Ao 2 Ao 0 Ao 6 Ao D � . A 1 Ao 8 Ao 8 Ao D � . A 1 Ao 9 Ao 6 Ao D � . A 2 Ao 0 Ao 4 Ao C Ao D � � A \ Ao P Ao D � A D � A D � � A D � A D � A D � A D Ao D � A D � A D � A \ Ao D � A D � A D � A D � A D � + A D � � A \ Ao D � A D � A D � A D � A D � + A D � � A D � # A D � A D �
A D �
A B � $ �B � @
, , ,
J 7 AJ @ 0 0 : 0 0 : 1 2 @ B ��$ �B � @ , ,
� � D
� j A D
� A D
� A D
� Y A D
� Y A 3 Ao 2 Ao S Ao D
� A D
� A D
� ( A D
� ( A E Ao x Ao D
� A D
� � A D
�
A D
� A D
� A D
� � A J Ao J Ao C Ao C Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � A D � A D � q A D � A / Ao D � A D � A D � A D � " A D � + A D � A D � A A D � A A 3 Ao 2 Ao D � A % Ao D � A D �
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.