Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 1b3406df940ca3d7…

MALICIOUS

Hangul (OLE)

128.0 KB First seen: 2016-03-27
MD5: 11646733c59f92fb761de73533f68fad SHA-1: f80e9926f39639f7c173a363be0ba517e2fe0037 SHA-256: 1b3406df940ca3d79090f7f225a71e14e9241d6fc03081ec840a2b2f14becf27
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The file is an OLE-wrapped HWP document exhibiting anomalies indicative of appended executable content. Embedded JavaScript scripts were extracted, suggesting an attempt to download and execute a secondary payload. The presence of these scripts and the appended payload strongly indicates a malicious intent, likely delivered via spearphishing.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 131,072 bytes but its declared streams total only 58,812 bytes — 72,260 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 11785 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 514 bytes
SHA-256: f9635cc40c1da65ebe738bbc7b9cc0cf4d9030a1e8490b5aa0f77320606ed745
DocInfo hwp-stream HWP OLE stream: DocInfo 10543 bytes
SHA-256: 91e2c832f254e377519ac00849e6c7813549848f1a3fb3b8e77eff4dbd62cadb
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 420 bytes
SHA-256: 3c083c37c73dc3a9d8a0b294b0ae8a31c3fff9097b4f50b0a3b824d2ade45263
Scripts_JScriptVersion hwp-stream HWP OLE stream: Scripts/JScriptVersion 308 bytes
SHA-256: 902500b04826722dd94e0389bab596f652411ac64c9e4a59e85b2a836b94e4e7

Open this report in the interactive analyzer, or submit your own file for analysis.