The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, Hancitor is back hidden in a DocuSign email
Technical analysis by the Malware Hunter JAMESW
Hancitor is back, hidden in a DocuSign e-mail. The doc attachment is downloaded each time from a different url and contains the dll with the malware. The final payalod is unknown
Hancitor is back, hidden inside a DocuSign email.
The doc attachment, which can be downloaded by opening the link in the text (the yellow button), contacts a different url each time and downloads a document that varies with each operation. Inside there is a dll with malware (aka Chanitor).
The next payload downloaded, however, is unknown. In the latest cybercrime campaigns, however, this was CobaltStrike or FickerStealer, an info-stealer that targets Windows-based PCs from XP to 10.