Detailed Technical Analysis Report of eFax Spam Campaign Delivers Hancitor Malware Detailed Technical Analysis Report of eFax Spam Campaign Delivers Hancitor Malware
Trojan,Malware Analysis | 08/09/2018

Detailed Technical Analysis Report of eFax Spam Campaign Delivers Hancitor Malware

When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

eFax Notification Delivers Hancitor Malware


Recently a new malware campaign has been seen that targets US country, in which an attacker is sending phishing emails with malicious links or an attachment of Office Document in the Email.

In case, if the Email contains a malicious link then it downloads the malicious office document when the person clicked on it.

In another scenario, Email contains an attachment of a malicious office document.

In both the scenario, the malicious document contains a malicious macro script that automatically downloads the additional malware on the user’s machine.

Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7

Flow Chart:

Flow Chart

Technical Analysis of eFax Notification Delivers Hancitor Malware

File Name: fax.doc

MD5: 00955C1DB30DDC172086A061AB158F00

File Type: DOC

Spread Via:  E-mail

Detail Description of eFax Notification Delivers Hancitor Malware with Screenshots:

During execution of fax.doc, it’s launch Microsoft Word application

By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.

In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.

So, it’s always recommended to never disable the protection mode.

As shown below, Enable Content Button, it shows another warning message (“Macros have been disabled”).

Enable Content Warning

Figure 1 Enable Content Warning

In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically get started in the background.

Also, Read: Detailed Technical Analysis Report of Fox Ransomware

As shown below, winword.exe creates several processes

Process Tree

Figure 2 Process Tree

As shown below, fax.doc contain malicious macro which is not clearly visible and understandable by the normal user.

Below macro code has Sub Document_Open() function which means on opening the Document, the malicious macro code will be get activated.

Macro Code

Figure 3 Macro Code

By analyzing the above macro code, we came to know that it contains the malicious hidden embedded object, which is not clearly visible with naked eyes.

As shown above (Figure 1), On opening the document it shows the eFax image file; during analysis when we deleted the image file. We have seen the small embedded file in the document as shown below.

Embedded Hidden Object

Figure 4 Embedded Hidden Object

After enlarging the embedded file

Large Object

Figure 5 Enlarging Embedded Object

Properties of the Embedded Object File


Figure 6 Properties of the Embedded Object

As shown below, when we opened the embedded object in the notepad it shows us the bad actor user machine name (“Win7home”) and it also tells us that it’s an executable file (MZ header).

Notepad Strings

Figure 7 Embedded Object Strings

As shown below, following macro code read the location of the embedded object and store it into the clipboard


Figure 8 Reading location of the embedded object

Thereafter, it stores the file in %temp% location with the name of 6.pif with the help of cmd.exe that contains the ping request (Ping localhost till 100 times).

As shown below, macro code also checks for running security processes with the help of WMI query it fetches the current running process list by executing the SQL command (“Select * from Win32_Process”) and filter the list based on their criteria; If it founds any one of them bdagent.exe (Bitdefender Antivirus) and PSUAMain.exe (Panda Antivirus) is running then it drops the 1.hta file into the victim machine at %temp% location to bypass the Antivirus check.

Security Process

Figure 9 Security Process Check

For verification this thing, we created the fake process with the name of bdagent.exe and then we ran the malicious code, as shown below it creates mshta.exe then it executes the 6.exe (hancitor malware) following is a process tree

bdagent process Tree

Figure 10 Security Check Process Tree

As shown below, the macro code contains the base64 encoded code for 1.hta file

Base64 Encoded

Figure 11 Base64 Encoded String

As shown below, after decoding the encoded part we can see the actual code of it


Figure 12 After Decode


As shown below, this macro code also contains the Document Close event, which means on closing the document, the specific code will be executed. As per the below code, it attempts to save as the document without any macro code or we can say it overwrites the file by deleting all the content from it (as a fresh copy).

Document Close

Figure 13 Close Event

Kill SaveAs

Figure 14 Save As the Document



Associated File Hash

Main File Hash: 00955C1DB30DDC172086A061AB158F00

Filename:          1.hta

MD5:               1C8C253EE24BC0CF77802D8C0B7EB6A0

SHA1:              3DF46D1DA7B9C95D94C78C76CF25B9FE6419BE5D

Filename:           6.exe

MD5:               992F079A832820C61388F753DAB1114D

SHA1:              BAE66D6FDA6492399826B3EE6853B35209B5DD42

Filename:           fax.doc

MD5:                EB1C46D1C35B9A11E4165EF71878FAB3

SHA1:              239593CA5683B9AB6694998D83592C5A36497FB4

Associated URL




Also, Read: Detailed Technical Analysis Report of Fake Brightpay Payslip Notification Campaign

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan

Tips to Prevent virus and malware from Infecting Your System:
  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool


× Zoom Image