Win.Trojan.GhostPuppet-6712722-3 Hangul (OLE) malware analysis — malicious · 349b8afa3a1daf49

MALICIOUS

Hangul (OLE)

85.0 KB First seen: 2019-09-30

MD5: 5a7718f70ace857d2f9c9e09ec5d54f1 SHA-1: 1b88a3bb541d541db49d8d67d19956f23fa0f075 SHA-256: 349b8afa3a1daf495e7178b563a7de3f58d6c63140d042cc08be5770d03bd8f5

144 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 90%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV, specifically as Win.Trojan.GhostPuppet-6712722-3. Heuristics indicate the presence of embedded PostScript with file operation capabilities (file/run/deletefile), a common technique for executing malicious code or dropping further stages. The embedded JScript, though small, suggests a scripting component is involved in the execution flow.

Heuristics 5

ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
Embedded PostScript / EPS high HWP_POSTSCRIPT

HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
PostScript file operation high HWP_PS_FILE

PostScript file operation found (file/run/deletefile)
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED

Inflated 143045 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`BinData_BIN0001.PS`	hwp-stream	HWP OLE stream: BinData/BIN0001.PS	50473 bytes
SHA-256: `0fed3b376c7e266414d6015dbcd23ba92de929b514c5773bd5678b52766435ab`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`BodyText_Section0`	hwp-stream	HWP OLE stream: BodyText/Section0	686 bytes
SHA-256: `b69ccf758d0bf48d0e891639bfd346d1805bc3bf170befa7d1f6a175dc7e2f9c`
`BodyText_Section1`	hwp-stream	HWP OLE stream: BodyText/Section1	80955 bytes
SHA-256: `1535eebfd7503e167b4b200953092da3c9c6d6893c621ab5119a757dfdbe94a1`
`DocInfo`	hwp-stream	HWP OLE stream: DocInfo	10655 bytes
SHA-256: `93ce373a7980404ec3cb01e541f5442118ec38ea4c3c50d28126312e02dc4c74`
`Scripts_DefaultJScript`	hwp-stream	HWP OLE stream: Scripts/DefaultJScript	268 bytes
SHA-256: `1ef5258bef33ff82a45bae4660ff19081c6965f9fb82738911390efff4cda5f5`

Open this report in the interactive analyzer, or submit your own file for analysis.