MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a HWP document containing embedded PostScript, which is a known exploit surface. Specifically, the Ghostscript CVE-2017-8291 exploit primitive (.eqproc) was detected, indicating an attempt to bypass security measures and execute arbitrary code. This suggests the file is likely a malicious attachment delivered via spearphishing.
Heuristics 5
-
Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents.
-
Embedded PostScript / EPS high HWP_POSTSCRIPTHWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
-
PostScript file operation high HWP_PS_FILEPostScript file operation found (file/run/deletefile)
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 177909 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BinData_BIN0001.ps |
hwp-stream | HWP OLE stream: BinData/BIN0001.ps | 13105 bytes |
SHA-256: e39b74bd53a4c35f2cf235dedf2486142077439c03e5f0ffb1a9473856e42121 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 147627 bytes |
SHA-256: 3e16808981ddd6560c4f3091640880befcc1633ef3e1fe47f7eb581deebecc52 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 16897 bytes |
SHA-256: 131421a51dbcb0f402afd580aabcc47d4641e426296d9c658a18ddd33d1caf65 |
|||
Scripts_DefaultJScript |
hwp-stream | HWP OLE stream: Scripts/DefaultJScript | 272 bytes |
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.