Win.Trojan.GhostPuppet-6712722-3 — Hangul (OLE) malware analysis

Static analysis result for SHA-256 485f77e5d32de5dc…

MALICIOUS

Hangul (OLE)

3.64 MB First seen: 2019-05-16
MD5: 69ad5bd4b881d6d1fdb7b19939903e0b SHA-1: 60acdff3451235a949b8a931287ba31e44efe2f9 SHA-256: 485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f
346 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The HWP document contains embedded PostScript code that utilizes a Ghostscript SAFER bypass (CVE-2017-8291) to execute arbitrary code. This is a classic exploit-staging pattern involving hex-decoded runtime execution. The ClamAV detection confirms this is a known malicious Trojan, likely GhostPuppet, which typically downloads and executes further payloads.

Heuristics 10

  • Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291
    Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents. The .eqproc operator was found after decoding '<HEX> cvx exec' staging.
  • ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
  • PostScript exec command critical HWP_PS_EXEC
    PostScript 'exec' operator found — can execute arbitrary code
  • PostScript runtime hex-to-code execution critical HWP_PS_CVX_EXEC
    Found 3 '<HEX> cvx exec' sequence(s) — PostScript decoded from hex strings and executed at runtime; classic exploit-staging pattern.
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • External URL medium HWP_URL
    Found 14 URL(s) in document
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 4278336 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch HWP document reference
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/aux/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.png hwp-stream HWP OLE stream: BinData/BIN0001.png 5310 bytes
SHA-256: 0d0614e134c0fb4aea5b9484a93071e0f7826e55e23dc0145e935d42afbcd7a0
BinData_BIN0002.bmp hwp-stream HWP OLE stream: BinData/BIN0002.bmp 322866 bytes
SHA-256: be51ca9774dbb149955568d254235ec182d40bcee1e9bd0ce1e16fd85f71a400
BinData_BIN0003.jpg hwp-stream HWP OLE stream: BinData/BIN0003.jpg 21392 bytes
SHA-256: a7d40fce911f187312c1267f31e2d2fcd5fdb78f9a4afd415846024cf51d0ddb
BinData_BIN0004.png hwp-stream HWP OLE stream: BinData/BIN0004.png 151526 bytes
SHA-256: 36de553a13f372b7505bd36eacb94d56ff314fd48ed357cd113ae4dffa08bc0b
BinData_BIN0005.png hwp-stream HWP OLE stream: BinData/BIN0005.png 113015 bytes
SHA-256: dab29340d2ef7367660aa34d91e6768177ffeeb712f2eb7459d9b3acf48c8ee2
BinData_BIN0006.jpg hwp-stream HWP OLE stream: BinData/BIN0006.jpg 8392 bytes
SHA-256: 24204663db757948d2c9204a30abe32ec5dbbe3417bbad2f33b5c8022c9af910
BinData_BIN0007.png hwp-stream HWP OLE stream: BinData/BIN0007.png 128826 bytes
SHA-256: bfea78d907364ff5e8f80b730689e170f1ba6e3872d164c1f168205b160d2cd4
BinData_BIN0008.bmp hwp-stream HWP OLE stream: BinData/BIN0008.bmp 308502 bytes
SHA-256: 844920f5e907ff090989779e81fccd3640ee8e7acb072e0e10f5c1c7523be727
BinData_BIN0009.png hwp-stream HWP OLE stream: BinData/BIN0009.png 161496 bytes
SHA-256: 9ec3d8d410338301c36d0139ce28e237b2bcf42f3528322761a7986a7e42e53c
BinData_BIN000A.png hwp-stream HWP OLE stream: BinData/BIN000A.png 139617 bytes
SHA-256: b7b4d6e7287ccbd912ad480cdfadf8f27a21c694cf3be48af72cb6b9cf14f7d9
BinData_BIN000B.png hwp-stream HWP OLE stream: BinData/BIN000B.png 172438 bytes
SHA-256: 4ecc6ac6a06933b496789773a22767eb15e56cef0be1b6809d26eaeacd9c357e
BinData_BIN000C.png hwp-stream HWP OLE stream: BinData/BIN000C.png 157163 bytes
SHA-256: b0e80c2039c9cc1103165bac980a4e3948206a26e40ed1aced4b2dfc2f0d0c26
BinData_BIN000D.png hwp-stream HWP OLE stream: BinData/BIN000D.png 157790 bytes
SHA-256: 99e8794b65c02e39327c4079202d7e9985012669bb54a07019d4f68c5ac9fb2c
BinData_BIN000E.png hwp-stream HWP OLE stream: BinData/BIN000E.png 150351 bytes
SHA-256: 5465a33b2031e135cecb7a4264742d26d667244adea8f5eebb3bed2763776c86
BinData_BIN000F.png hwp-stream HWP OLE stream: BinData/BIN000F.png 103977 bytes
SHA-256: 00409114299f339aca405a318e6aa49d3fe0fe9bcfb8227606e498181cf537d9
BinData_BIN0010.png hwp-stream HWP OLE stream: BinData/BIN0010.png 136597 bytes
SHA-256: 0e6a9180ff2153d12955378029501603aef3895a469d548c6adc049794d98a8f
BinData_BIN0011.png hwp-stream HWP OLE stream: BinData/BIN0011.png 105166 bytes
SHA-256: 725bd37ea158f301082220db4bb2879405ba7c59fd974436d94e945ef48686b4
BinData_BIN0012.png hwp-stream HWP OLE stream: BinData/BIN0012.png 152974 bytes
SHA-256: 2173c7a1d2f33a0e7a3f8b4f9d545a88d175628f8fce3732519fd45d1f470491
BinData_BIN0013.png hwp-stream HWP OLE stream: BinData/BIN0013.png 150992 bytes
SHA-256: 889f6b8933fd395e03b2eef01dd7cccb76ea8187b80d7a206c603105914110f1
BinData_BIN0014.png hwp-stream HWP OLE stream: BinData/BIN0014.png 139722 bytes
SHA-256: f248a0eebf4141ffdbc442a83ef402f3d47b394b6c5d5a4c036eec35e6d9fdd2
BinData_BIN0015.jpg hwp-stream HWP OLE stream: BinData/BIN0015.jpg 908007 bytes
SHA-256: f7352b8f85b5b699ccd522c61342b0624d84e051fe995ece638b92273915540d
BinData_BIN0016.png hwp-stream HWP OLE stream: BinData/BIN0016.png 180907 bytes
SHA-256: ddd47fdb3bfd5a3e8ac9561ca172d57afde5f50188778eb4d82f49dba7d786bd
BinData_BIN0017.png hwp-stream HWP OLE stream: BinData/BIN0017.png 107972 bytes
SHA-256: c788da84fb77ee8c5432e6eb8d07b47dddf93e8811baf29e7100129510a6578d
BinData_BIN0018.png hwp-stream HWP OLE stream: BinData/BIN0018.png 132392 bytes
SHA-256: 9795b7ab9373e15e55c7ef0f30a204b35be1054c5864cf48c9357af77223d180
BinData_BIN0019.PS hwp-stream HWP OLE stream: BinData/BIN0019.PS 25538 bytes
SHA-256: 7424b7a3767d19edeff8c4bf00df263bacc76a30c719c359834e371e4aa530a9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 686 bytes
SHA-256: 36695924c250c2ce3775221aa520b073ea4328a27891315f5d2becd65faaee94
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 100547 bytes
SHA-256: d607ddcb7b122af0bd14a87d60af668457d7450d082c1efc424c2c8d49830d34
DocInfo hwp-stream HWP OLE stream: DocInfo 33899 bytes
SHA-256: 97e3955a0df09152ee0243709cd0abd81202f84274ab035f05acf9c4c4314877
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 268 bytes
SHA-256: 1ef5258bef33ff82a45bae4660ff19081c6965f9fb82738911390efff4cda5f5