Win.Trojan.GhostPuppet-6712722-3 — Hangul (OLE) malware analysis

Static analysis result for SHA-256 349b8afa3a1daf49…

MALICIOUS

Hangul (OLE)

85.0 KB First seen: 2019-09-30
MD5: 5a7718f70ace857d2f9c9e09ec5d54f1 SHA-1: 1b88a3bb541d541db49d8d67d19956f23fa0f075 SHA-256: 349b8afa3a1daf495e7178b563a7de3f58d6c63140d042cc08be5770d03bd8f5
144 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 90%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV, specifically as Win.Trojan.GhostPuppet-6712722-3. Heuristics indicate the presence of embedded PostScript with file operation capabilities (file/run/deletefile), a common technique for executing malicious code or dropping further stages. The embedded JScript, though small, suggests a scripting component is involved in the execution flow.

Heuristics 5

  • ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 143045 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.PS hwp-stream HWP OLE stream: BinData/BIN0001.PS 50473 bytes
SHA-256: 0fed3b376c7e266414d6015dbcd23ba92de929b514c5773bd5678b52766435ab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 686 bytes
SHA-256: b69ccf758d0bf48d0e891639bfd346d1805bc3bf170befa7d1f6a175dc7e2f9c
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 80955 bytes
SHA-256: 1535eebfd7503e167b4b200953092da3c9c6d6893c621ab5119a757dfdbe94a1
DocInfo hwp-stream HWP OLE stream: DocInfo 10655 bytes
SHA-256: 93ce373a7980404ec3cb01e541f5442118ec38ea4c3c50d28126312e02dc4c74
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 268 bytes
SHA-256: 1ef5258bef33ff82a45bae4660ff19081c6965f9fb82738911390efff4cda5f5