Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 1bd72ecad0cd21c6…

MALICIOUS

Hangul (OLE)

217.0 KB First seen: 2017-11-29
MD5: 60d9c060178f4427d5ca3d565c0342ed SHA-1: 1c1c87448be130e665eabeb7f6ba39ab08297c49 SHA-256: 1bd72ecad0cd21c63c33b074bf5a5e20b936a699bc449dfd50551669785f8901
184 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The HWP document contains embedded PostScript code, indicated by the 'HWP_POSTSCRIPT' and 'HWP_PS_SYSTEM' heuristics. The PostScript 'system' operator is a known primitive for executing OS commands, suggesting an exploitation attempt for client execution. The presence of a large slack space and an embedded PostScript file ('BinData_BIN0001.ps') further supports this. The exact nature of the executed command is not directly discernible from the provided evidence.

Heuristics 6

  • PostScript system call critical HWP_PS_SYSTEM
    PostScript 'system' operator found — some interpreters expose this as an OS command primitive
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 222,208 bytes but its declared streams total only 105,731 bytes — 116,477 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 366214 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.ps hwp-stream HWP OLE stream: BinData/BIN0001.ps 207953 bytes
SHA-256: 80066370d7b202222a62c1a86fa0a0515a87899725e695c553ada4d8ad5189c2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 151949 bytes
SHA-256: 1467de95b054480dfc0950ffd1ddb7e17fa0590c830d123d09dade8e50170564
DocInfo hwp-stream HWP OLE stream: DocInfo 6284 bytes
SHA-256: 498ac34dcaee6f3164b84968079b0420adbab6049ee7ef1ceb4b19f975e8eae3

Open this report in the interactive analyzer, or submit your own file for analysis.