Hancitor — Office (OOXML) malware analysis

Static analysis result for SHA-256 e59e33965393a039…

MALICIOUS

Office (OOXML)

306.5 KB Created: 2021-11-05 12:11:56 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-24
MD5: 3727cdd6649f99e8f3416255133163bf SHA-1: 97472343074e745b775fad425e09174e5675912f SHA-256: e59e33965393a039b856a925f94bbf82a7689fcd90d1bbf2fa152c7a6c29aa15
120 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file was identified as malicious by ClamAV with the signature Xls.Downloader.Hancitor03222-9941794-0, indicating it belongs to the Hancitor family. Static analysis revealed the presence of Excel 4.0 macros, a common technique for initial execution and payload delivery. These macros are likely responsible for downloading and executing a secondary stage, consistent with Hancitor's typical behavior.

Heuristics 2

  • ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 5257 bytes
SHA-256: 5928da5f6085cb4613fae3ba9475e7ae01c0413a6d961b0b1ace72dd123cb7c4
Preview script
First 1,000 lines of the extracted script
�  �  �   @      ��������    �                  �  %      ��                  & �  �             @   d           � $    #               #   #           �  �  �  ����  ,     �  <         m
        <          
        <         m
        <         $         �  �            ,                                        ,                                        ,                                        ,                                        ,                                                      ,                              
�            �   D
    � j    A  D
    �      A   D
    �      A   D
    � Y    A   D
    � Y    A    3 Ao   2 Ao   S Ao D
    �      A   D
    �      A   D
    � (    A   D
    � (    A    E Ao   x Ao  D
    �      A   D
    � �    A   D
    � 
    A   D
    �      A   D
    �      A   D
    � �    A    J Ao  J Ao   C Ao   C Ao   C Ao   C Ao   J Ao   J Ao     D     �      A  D     � 	    A   D     �      A   D     �      A   D     �      A  D     � q    A   D     �      A    / Ao D     �      A   D     �      A   D     � a    A   D     � �    A   D     �      A   D     �      A   D     �      A   D     �      A    % Ao  D     � `    A   D     �      A   D     �      A   D     � M    A   D     �      A   D     �      A   D     � a    A   D     �      A   D     �      A   D     �      A   D     �      A    % Ao   \ Ao  D     � +    A   D     � >    A   D     �      A   D     �      A   D     �      A   D     � "    A         B	� $     �B �  @                 ,                                                      ,                          	             
             ,                              
J           7       AJ  @     0 0 : 0 0 : 0 4  @   B ��$     �B �  @         	       ,                                        
     
       ,                                                      ,                                                      ,                              
�	           v   D     � '    A  D     � O    A   D     � K    A   D     � �    A   D     �      A   D     �      A    U Ao  R Ao   L Ao   D Ao  D     �      A   D     � #    A   D     � 	    A   D     �      A   D     �      A   D     � 
    A   D     �      A   D     � �    A   D     �      A   D     � �    A   D     �      A   D     �      A   D     �      A   D     � �    A    J Ao  J Ao   C Ao   C Ao   J Ao   J Ao     D     �      A  D     �      A   D     �      A   D     � �    A    : Ao   / Ao   / Ao   2 Ao   0 Ao   6 Ao  D     � .    A    1 Ao   8 Ao   8 Ao  D     � .    A    1 Ao   9 Ao   6 Ao  D     � .    A    2 Ao   0 Ao   4 Ao   C Ao D     � �    A    \ Ao   P Ao  D     �      A   D     �      A   D     � �    A   D     �      A   D     �      A   D     �      A    D Ao  D     �      A   D     �      A   D     �      A    \ Ao  D     �      A   D     �      A   D     �      A   D     �      A   D     � +    A   D     � �    A    \ Ao  D     �      A   D     �      A   D     �      A   D     �      A   D     � +    A   D     � �    A   D     � #    A   D     �      A   D     � 
    A   D     � 
    A         B � $     �B �  @         
       ,                                                      ,                                                      ,                              
J           7       AJ  @     0 0 : 0 0 : 1 2  @   B ��$     �B �  @                 ,                                                      ,                              
�	           �   D
    � j    A  D
    �      A   D
    �      A   D
    � Y    A   D
    � Y    A    3 Ao   2 Ao   S Ao D
    �      A   D
    �      A   D
    � (    A   D
    � (    A    E Ao   x Ao  D
    �      A   D
    � �    A   D
    � 
    A   D
    �      A   D
    �      A   D
    � �    A    J Ao  J Ao   C Ao   C Ao   C Ao   C Ao   J Ao   J Ao     D     �      A  D     � 	    A   D     �      A   D     �      A   D     �      A  D     � q    A   D     �      A    / Ao D     �      A   D     �      A   D     �      A   D     � "    A   D     � +    A   D     �      A   D     � A    A   D     � A    A    3 Ao   2 Ao  D     �      A    % Ao  D     �      A   D     �      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.