Hancitor Office (OOXML) malware analysis — malicious · ffb5b90289bd85ce

MALICIOUS

Office (OOXML)

298.4 KB Created: 2021-10-14 17:10:27 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23

MD5: 145a6c3db2d7621487e6ba65a1e8191e SHA-1: 0d6a4a5da4d91e3aae77a71ad7ec42d85f9ccf6e SHA-256: ffb5b90289bd85ceb763db59e4656a3a4d00f482777da9476217b4c9f501a806

120 Risk Score

Malware Insights

Hancitor · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Downloader.Hancitor03222-9941794-0, indicating it belongs to the Hancitor family. Static analysis revealed the presence of Excel 4.0 macros, a common technique for delivering secondary payloads. The macro sheet likely contains code to download and execute further stages of the infection chain.

Heuristics 2

ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET

Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_sheet_00.bin xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 4796 bytes

Filename	Kind	Source	Size
`xlm_sheet_00.bin`	xlm-macrosheet	OOXML XLM macro sheet: xl/macrosheets/sheet1.bin	4796 bytes
SHA-256: `c016f514b665bddd29effae34bfbd23e2042400034f8dc04b532c258673cbf16`
Preview script First 1,000 lines of the extracted script � � � @ �� b � % �� & � � @ d � $ � � � �� , � < � � � , , � � D � � A D � A D � A D � E A D � E A D � N A D � � A D � H A D � / A D � A D � A D � A E Ao x Ao D � A D � A D � 9 A D � A D � A D � Q A J Ao J Ao D � A A D � A A D � A A D � A A J Ao J Ao D � A D � ; A D � A D � A D � S A D � U A D � A / Ao D � 4 A D � A D � ! A k Ao D � A D � A D � A D � A % Ao D � l A D � A D � , A D � A D � A D � A D � ! A D � A D � A D � A D � A % Ao \ Ao D � 4 A D � A D � A D � , A D � � A B � , , , : ' AJ @ 0 0 : 0 0 : 0 4 @ B �� , , , , � ^ D � A D � A D � A D � < A D � A D � A U Ao D � � A L Ao D Ao D � A D � A D � A D � M A D � A D � A D � 8 A D � # A D � A F Ao D � A D � M A D � A A Ao J Ao J Ao C Ao C Ao J Ao J Ao D � A D � A D � A D � , A D � A / Ao / Ao 4 Ao 5 Ao D � I A D � A D � A D � I A D � A 8 Ao 0 Ao D � I A D � A 6 Ao 7 Ao C Ao : Ao \ Ao D � ; A D � A D � A D � A D � A D � A D � A D Ao D � A D � A D � A \ Ao D � A A D � A D � A D � A D � A \ Ao D � A A D � A D � A D � A D � A D � m A D � A D � A D � A B � , , , : ' AJ @ 0 0 : 0 0 : 1 2 @ B �� , , � � D � � A D � A D � A D � E A D � E A D � N A D � � A D � H A D � / A D � A D � A D � A E Ao x Ao D � A D � A D � 9 A D � A D � A D � Q A J Ao J Ao D � A A D � A A D � A A D � A A J Ao J Ao D � A D � ; A D � A D � A D � S A D � U A D � A / Ao D � t A D � A D � A D � ! A D � / A D � A D � A D � A D � f A 2 Ao D � A % Ao D � A D � A D � A D � A D � A D � A D � ' A D � A D � A D � 2 A D � A % Ao \ Ao D � t A D � A D � 2 A D � A D � A \ Ao D � t A D � A D � 2 A D � A D � A D � � A D ... (truncated)

SHA-256: c016f514b665bddd29effae34bfbd23e2042400034f8dc04b532c258673cbf16

Preview script

First 1,000 lines of the extracted script

�  �  �   @      ��������    �      b           �  %      ��                  & �  �             @   d           � $                                    �  �  �  ����  ,     �  <         �         �  �            ,                                        ,                
�            �   D
    � �    A  D
    �      A   D
    �      A   D
    � E    A   D
    � E    A   D
    � N    A   D
    � �    A   D
    � H    A  D
    � /    A   D
    �      A   D
    �      A   D
    �      A    E Ao   x Ao  D
    �      A   D
    � 	    A   D
    � 9    A   D
    �      A   D
    �      A   D
    � Q    A    J Ao  J Ao  D     � A    A   D     � A    A   D     � A    A   D     � A    A    J Ao   J Ao     D     � 
    A  D     � ;    A   D     �      A   D     �      A   D     � S    A  D     � U    A   D     �      A    / Ao D     � 4    A   D     �      A   D     � !    A    k Ao  D     �      A   D     �      A   D     �      A   D     �      A    % Ao  D     � l    A   D     �      A   D     � ,    A   D     �      A   D     �      A   D     �      A   D     � !    A   D     �      A   D     �      A   D     �      A   D     �      A    % Ao   \ Ao  D     � 4    A   D     �      A   D     �      A   D     � ,    A   D     � �    A         B	�               ,                                        ,                                        ,                
:           '       AJ  @     0 0 : 0 0 : 0 4  @   B ��      	       ,                                
       ,                                        ,                                        ,                
�            ^   D     �      A  D     �      A   D     � 
    A   D     � <    A   D     �      A   D     �      A    U Ao D     � �    A    L Ao   D Ao  D     �      A   D     � 	    A   D     � 
    A   D     � M    A   D     �      A   D     �      A   D     � 8    A   D     � #    A   D     �      A    F Ao  D     �      A   D     � M    A   D     �      A    A Ao   J Ao  J Ao   C Ao   C Ao   J Ao   J Ao     D     �      A  D     � 
    A   D     � 
    A   D     � ,    A   D     �      A    / Ao   / Ao   4 Ao   5 Ao  D     � I    A   D     �      A   D     �      A   D     � I    A   D     �      A    8 Ao   0 Ao  D     � I    A   D     �      A    6 Ao   7 Ao   C Ao  : Ao   \ Ao  D     � ;    A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A    D Ao  D     �      A   D     �      A   D     �      A    \ Ao  D     � A    A   D     �      A   D     �      A   D     �      A   D     �      A    \ Ao  D     � A    A   D     �      A   D     �      A   D     �      A   D     �      A   D     � m    A   D     �      A   D     � 
    A   D     � 
    A         B �       
       ,                                        ,                                        ,                
:           '       AJ  @     0 0 : 0 0 : 1 2  @   B ��              ,                                        ,                
�
           �   D
    � �    A  D
    �      A   D
    �      A   D
    � E    A   D
    � E    A   D
    � N    A   D
    � �    A   D
    � H    A  D
    � /    A   D
    �      A   D
    �      A   D
    �      A    E Ao   x Ao  D
    �      A   D
    � 	    A   D
    � 9    A   D
    �      A   D
    �      A   D
    � Q    A    J Ao  J Ao  D     � A    A   D     � A    A   D     � A    A   D     � A    A    J Ao   J Ao     D     � 
    A  D     � ;    A   D     �      A   D     �      A   D     � S    A  D     � U    A   D     �      A    / Ao D     � t    A   D     �      A   D     �      A   D     � !    A   D     � /    A   D     �      A   D     �      A   D     �      A   D     � f    A    2 Ao  D     �      A    % Ao  D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     �      A   D     � '    A   D     �      A   D     �      A   D     � 2    A   D     �      A    % Ao   \ Ao  D     � t    A   D     �      A   D     � 2    A   D     �      A   D     �      A    \ Ao  D     � t    A   D     �      A   D     � 2    A   D     �      A   D     �      A   D     � �    A   D   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.