MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Xls.Downloader.Hancitor03222-9941794-0, indicating it belongs to the Hancitor family. Static analysis revealed the presence of Excel 4.0 macros, a common technique for delivering secondary payloads. The macro sheet likely contains code to download and execute further stages of the infection chain.
Heuristics 2
-
ClamAV: Xls.Downloader.Hancitor03222-9941794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Hancitor03222-9941794-0
-
Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_sheet_00.bin |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 4796 bytes |
SHA-256: c016f514b665bddd29effae34bfbd23e2042400034f8dc04b532c258673cbf16 |
|||
Preview scriptFirst 1,000 lines of the extracted script
� � � @ �������� � b � % �� & � � @ d � $ � � � ���� , � < � � � , ,
� � D
� � A D
� A D
� A D
� E A D
� E A D
� N A D
� � A D
� H A D
� / A D
� A D
� A D
� A E Ao x Ao D
� A D
� A D
� 9 A D
� A D
� A D
� Q A J Ao J Ao D � A A D � A A D � A A D � A A J Ao J Ao D �
A D � ; A D � A D � A D � S A D � U A D � A / Ao D � 4 A D � A D � ! A k Ao D � A D � A D � A D � A % Ao D � l A D � A D � , A D � A D � A D � A D � ! A D � A D � A D � A D � A % Ao \ Ao D � 4 A D � A D � A D � , A D � � A B � , , ,
: ' AJ @ 0 0 : 0 0 : 0 4 @ B �� ,
, , ,
� ^ D � A D � A D �
A D � < A D � A D � A U Ao D � � A L Ao D Ao D � A D � A D �
A D � M A D � A D � A D � 8 A D � # A D � A F Ao D � A D � M A D � A A Ao J Ao J Ao C Ao C Ao J Ao J Ao D � A D �
A D �
A D � , A D � A / Ao / Ao 4 Ao 5 Ao D � I A D � A D � A D � I A D � A 8 Ao 0 Ao D � I A D � A 6 Ao 7 Ao C Ao : Ao \ Ao D � ; A D � A D � A D � A D � A D � A D � A D Ao D � A D � A D � A \ Ao D � A A D � A D � A D � A D � A \ Ao D � A A D � A D � A D � A D � A D � m A D � A D �
A D �
A B �
, , ,
: ' AJ @ 0 0 : 0 0 : 1 2 @ B �� , ,
�
� D
� � A D
� A D
� A D
� E A D
� E A D
� N A D
� � A D
� H A D
� / A D
� A D
� A D
� A E Ao x Ao D
� A D
� A D
� 9 A D
� A D
� A D
� Q A J Ao J Ao D � A A D � A A D � A A D � A A J Ao J Ao D �
A D � ; A D � A D � A D � S A D � U A D � A / Ao D � t A D � A D � A D � ! A D � / A D � A D � A D � A D � f A 2 Ao D � A % Ao D � A D � A D � A D � A D � A D � A D � ' A D � A D � A D � 2 A D � A % Ao \ Ao D � t A D � A D � 2 A D � A D � A \ Ao D � t A D � A D � 2 A D � A D � A D � � A D
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.