Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 0fa91cac5712cfc0…

MALICIOUS

Hangul (OLE)

22.0 KB First seen: 2020-09-15
MD5: 257a81471a001af1fa0d82069c92993c SHA-1: d1b0676839c91de9e2f4f7d58c205a1bc4655e67 SHA-256: 0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a
144 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The HWP document contains embedded PostScript (EPS) which is known to be a common exploit surface in targeted campaigns. Specifically, the sample utilizes the Ghostscript CVE-2017-8291 exploit primitive (.eqproc) to bypass SAFER restrictions, enabling file operations like execution or deletion. The embedded PostScript file, BinData_BIN0001.ps, likely contains the malicious payload executed via this exploit.

Heuristics 5

  • Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291
    Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents.
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 29196 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.ps hwp-stream HWP OLE stream: BinData/BIN0001.ps 10397 bytes
SHA-256: 0b300ebe8474e8d83e35b3750f2256d3aa336328787b9f07bf7f5dabb1a24116
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 10936 bytes
SHA-256: 7aff4d002b6aa2337989c4fffb503d719162cebddea605eb191c28cdfde7f5d3
DocInfo hwp-stream HWP OLE stream: DocInfo 7583 bytes
SHA-256: 0c00431ac7af826ad68c0b4b1f5e4d79441b6c6a7b490637311f6d7f07ae6cff
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4

Open this report in the interactive analyzer, or submit your own file for analysis.