Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 3cde54dce88a4544…

MALICIOUS

Hangul (OLE)

110.5 KB First seen: 2019-12-10
MD5: e8bf331858b173eac8bd2b2227821022 SHA-1: aa204115d2ea7ddb6f915bc722243246f60f51af SHA-256: 3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e
364 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

This HWP document contains embedded PostScript code that utilizes the 'exec' operator and a CVE-2017-8291 exploit primitive (.eqproc) to bypass Ghostscript's SAFER mode. This pattern is indicative of a staged exploit designed to execute arbitrary code, as confirmed by ClamAV's detection of Win.Trojan.GhostPuppet-6712722-3. The presence of obfuscated hex-encoded PostScript further supports its malicious intent.

Heuristics 9

  • Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291
    Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents. The .eqproc operator was found after decoding '<HEX> cvx exec' staging.
  • ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
  • PostScript exec command critical HWP_PS_EXEC
    PostScript 'exec' operator found — can execute arbitrary code
  • PostScript runtime hex-to-code execution critical HWP_PS_CVX_EXEC
    Found 3 '<HEX> cvx exec' sequence(s) — PostScript decoded from hex strings and executed at runtime; classic exploit-staging pattern.
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 140616 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.PS hwp-stream HWP OLE stream: BinData/BIN0001.PS 25549 bytes
SHA-256: f94b0508a0c0991be19ec98ab55b509bbb7274763a8c03ebc0abf69bae731c84
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 686 bytes
SHA-256: b69ccf758d0bf48d0e891639bfd346d1805bc3bf170befa7d1f6a175dc7e2f9c
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 110994 bytes
SHA-256: 6ab6c207c1ff5f543c85308811ef57061aabc176484bdc5e1163fe88e8ac7801
DocInfo hwp-stream HWP OLE stream: DocInfo 3107 bytes
SHA-256: abfc1bd5ddd5ddc71765e523b4bb2185720de867a7508a65ef1868e07569068a
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4

Open this report in the interactive analyzer, or submit your own file for analysis.