Win.Trojan.GhostPuppet-6712722-3 Hangul (OLE) malware analysis — malicious · 2e4b8f1f08983c5e

MALICIOUS

Hangul (OLE)

373.0 KB First seen: 2018-10-07

MD5: cac8b37ec856fb7c88a34f991f06aac9 SHA-1: efa951b8a6113f1d6902be6900a590e384a99500 SHA-256: 2e4b8f1f08983c5e042236ef811c291ee55dc05cb69172fbeafb9367af075ebf

204 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV as Win.Trojan.GhostPuppet-6712722-3. Static analysis reveals embedded PostScript (EPS) within the HWP document, specifically triggering the CVE-2017-8291 Ghostscript SAFER bypass primitive. This indicates an attempt to execute arbitrary code, likely for downloading and running a secondary payload. The presence of the PostScript file operation heuristic further supports this.

Heuristics 6

Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291

Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents.
ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
Embedded PostScript / EPS high HWP_POSTSCRIPT

HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
PostScript file operation high HWP_PS_FILE

PostScript file operation found (file/run/deletefile)
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED

Inflated 410707 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`BinData_BIN0001.PS`	hwp-stream	HWP OLE stream: BinData/BIN0001.PS	391936 bytes
SHA-256: `d6b092c6f76524a8542d81a8a56298d840244d47b1dd8ed8d123452d3819d387`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`BodyText_Section0`	hwp-stream	HWP OLE stream: BodyText/Section0	686 bytes
SHA-256: `b69ccf758d0bf48d0e891639bfd346d1805bc3bf170befa7d1f6a175dc7e2f9c`
`BodyText_Section1`	hwp-stream	HWP OLE stream: BodyText/Section1	13783 bytes
SHA-256: `55dffda43d357c18f355414af6ba28be16c8618ffea2b7b1ff4706847af5ad72`
`DocInfo`	hwp-stream	HWP OLE stream: DocInfo	4022 bytes
SHA-256: `0579f68f4085cb1db2c0b84c5efd2a6dc288300567feb20932182b0ad4fbbaa9`
`Scripts_DefaultJScript`	hwp-stream	HWP OLE stream: Scripts/DefaultJScript	272 bytes
SHA-256: `e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4`

Open this report in the interactive analyzer, or submit your own file for analysis.