MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The OLE file has an appended executable payload, indicating it is designed to deliver malware. While several URLs were extracted, they are all confirmed benign and likely related to document metadata. No scripts were extracted, and the document body was unreadable, preventing a more specific analysis of the attack pattern or family. The presence of an appended payload strongly suggests a downloader or dropper functionality.
Heuristics 4
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
External URL medium HWP_URLFound 59 URL(s) in document
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 3767793 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ HWP document reference
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BinData_BIN0001.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0001.jpg | 182277 bytes |
SHA-256: 79be4f09bbf572c3a4efb44181d44c18c2bbb8623c2109ae11bd1c19f8f9c46b |
|||
BinData_BIN0002.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0002.jpg | 183692 bytes |
SHA-256: 72d31b1ee432fd41e9ba82829742aa677274d4e9e671395c26142a1f40474238 |
|||
BinData_BIN0003.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0003.jpg | 18376 bytes |
SHA-256: 04beb1abed85234d5163b131644f2e662bea215fe6af1567521be54713f55a2f |
|||
BinData_BIN0004.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0004.jpg | 38912 bytes |
SHA-256: 5fda3e6f22da1d2bcd7939cc838e010e1f91b547490c6b19a3357a376cc57133 |
|||
BinData_BIN0005.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0005.bmp | 2097152 bytes |
SHA-256: 4d522e905d05e768a06c8e1cabda2f1f5a055fb41034e0b91c92a83880f7828c |
|||
BinData_BIN0006.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0006.jpg | 34131 bytes |
SHA-256: e6366367d8a1a08de9a88d1edf73e7a378928a7097174d4390f01aa99ccc7f04 |
|||
BinData_BIN0007.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0007.jpg | 180577 bytes |
SHA-256: 1e9c5e42b981c4892df160c19917c5940b02e5c53dda88e95f16e548beacb8fb |
|||
BinData_BIN0008.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0008.jpg | 328482 bytes |
SHA-256: 1b2081ab0184709c8444797430f47f3eb1338d6a2088ab53a14c8ca746829d43 |
|||
BinData_BIN0009.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0009.jpg | 287030 bytes |
SHA-256: bce78e23932ceb3842adccec66c7c960b22ad2e4e1da7e28fce556ece3c19b37 |
|||
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 375168 bytes |
SHA-256: 7a142947cdd6efdf918b2a614346cd511faf35fa61ac6cd293beeedbfb154530 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 41716 bytes |
SHA-256: ce95530c6947836d9f6b80f4a31b58858846f69ecdac2fa32e4cffbedf0809c4 |
|||
Scripts_DefaultJScript |
hwp-stream | HWP OLE stream: Scripts/DefaultJScript | 272 bytes |
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.