Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 3454def5141a10be…

MALICIOUS

Hangul (OLE)

1.52 MB First seen: 2018-02-19
MD5: 3605429747a00f90787174376ee0fea1 SHA-1: 8bc82b70737215bed3f3a818830fc5d940a157fe SHA-256: 3454def5141a10bed8e04a24a610f503ec0d1c76ec7d48ded9c0cbb6d280463c
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The OLE file has an appended executable payload, indicating it is designed to deliver malware. While several URLs were extracted, they are all confirmed benign and likely related to document metadata. No scripts were extracted, and the document body was unreadable, preventing a more specific analysis of the attack pattern or family. The presence of an appended payload strongly suggests a downloader or dropper functionality.

Heuristics 4

  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • External URL medium HWP_URL
    Found 59 URL(s) in document
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 3767793 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ HWP document reference
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.jpg hwp-stream HWP OLE stream: BinData/BIN0001.jpg 182277 bytes
SHA-256: 79be4f09bbf572c3a4efb44181d44c18c2bbb8623c2109ae11bd1c19f8f9c46b
BinData_BIN0002.jpg hwp-stream HWP OLE stream: BinData/BIN0002.jpg 183692 bytes
SHA-256: 72d31b1ee432fd41e9ba82829742aa677274d4e9e671395c26142a1f40474238
BinData_BIN0003.jpg hwp-stream HWP OLE stream: BinData/BIN0003.jpg 18376 bytes
SHA-256: 04beb1abed85234d5163b131644f2e662bea215fe6af1567521be54713f55a2f
BinData_BIN0004.jpg hwp-stream HWP OLE stream: BinData/BIN0004.jpg 38912 bytes
SHA-256: 5fda3e6f22da1d2bcd7939cc838e010e1f91b547490c6b19a3357a376cc57133
BinData_BIN0005.bmp hwp-stream HWP OLE stream: BinData/BIN0005.bmp 2097152 bytes
SHA-256: 4d522e905d05e768a06c8e1cabda2f1f5a055fb41034e0b91c92a83880f7828c
BinData_BIN0006.jpg hwp-stream HWP OLE stream: BinData/BIN0006.jpg 34131 bytes
SHA-256: e6366367d8a1a08de9a88d1edf73e7a378928a7097174d4390f01aa99ccc7f04
BinData_BIN0007.jpg hwp-stream HWP OLE stream: BinData/BIN0007.jpg 180577 bytes
SHA-256: 1e9c5e42b981c4892df160c19917c5940b02e5c53dda88e95f16e548beacb8fb
BinData_BIN0008.jpg hwp-stream HWP OLE stream: BinData/BIN0008.jpg 328482 bytes
SHA-256: 1b2081ab0184709c8444797430f47f3eb1338d6a2088ab53a14c8ca746829d43
BinData_BIN0009.jpg hwp-stream HWP OLE stream: BinData/BIN0009.jpg 287030 bytes
SHA-256: bce78e23932ceb3842adccec66c7c960b22ad2e4e1da7e28fce556ece3c19b37
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 375168 bytes
SHA-256: 7a142947cdd6efdf918b2a614346cd511faf35fa61ac6cd293beeedbfb154530
DocInfo hwp-stream HWP OLE stream: DocInfo 41716 bytes
SHA-256: ce95530c6947836d9f6b80f4a31b58858846f69ecdac2fa32e4cffbedf0809c4
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4