Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 0327c1cf8c7c700d…

MALICIOUS

Hangul (OLE)

46.0 KB First seen: 2020-09-07
MD5: 1c669d4b2bea6b56dd6e00adabc6319f SHA-1: 5939729a5dfe8b09cf093d47b7606b2055c8f182 SHA-256: 0327c1cf8c7c700d4674f045577c273fdeacd1db9cb7d52a9121e65517208757
144 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a HWP document containing embedded PostScript, which is a known exploit surface. Specifically, the Ghostscript CVE-2017-8291 exploit primitive (.eqproc) was detected, indicating an attempt to bypass security measures and execute arbitrary code. This suggests the file is likely a malicious attachment delivered via spearphishing.

Heuristics 5

  • Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291
    Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents.
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 177909 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.ps hwp-stream HWP OLE stream: BinData/BIN0001.ps 13105 bytes
SHA-256: e39b74bd53a4c35f2cf235dedf2486142077439c03e5f0ffb1a9473856e42121
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 147627 bytes
SHA-256: 3e16808981ddd6560c4f3091640880befcc1633ef3e1fe47f7eb581deebecc52
DocInfo hwp-stream HWP OLE stream: DocInfo 16897 bytes
SHA-256: 131421a51dbcb0f402afd580aabcc47d4641e426296d9c658a18ddd33d1caf65
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4