Files packaged with Excel-DNA from which a dll containing 2 urls pointing to Discord is extracted. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection.
Technical analysis by the Malware Hunter JAMESWT
Hancitor is still hiding in a DocuSign email. The doc attachment is downloaded each time from a different url and contains the dll with the malware. The final payalod is unknown
Hancitor is still hiding inside a DocuSign email.
The doc attachment, which can be downloaded by opening the link in the text (the yellow button), contacts a different url each time and downloads a document that varies with each operation. Inside there is a dll with malware (aka Chanitor).
It is unknown, however, which is the next payload downloaded. In the latest cybercrime campaigns this was CobaltStrike or FickerStealer, an info-stealer that targets PCs with Windows operating systems, from XP to 10.