Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 58cda590b2173736…

MALICIOUS

Hangul (OLE)

89.5 KB First seen: 2021-02-23
MD5: b326a341b039e6ad270dda00aa85c572 SHA-1: 38a09bdbc5a6e82dae05b59db8e2595b9c3a5b28 SHA-256: 58cda590b2173736d919bc666b5f08bafd8e33d3516d045070c765106a741dac
104 Risk Score

Heuristics 4

  • Shell command reference critical HWP_SHELL_CMD
    Found reference to 'WScript' in document
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 149401 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/SMI/2005/WindowsSettings In document text (OLE body)

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.png hwp-stream HWP OLE stream: BinData/BIN0001.png 9218 bytes
SHA-256: 125f18f530ca627208087335f8fb8969dd2411fb38508eee41ed984f18db41df
BinData_BIN0002.png hwp-stream HWP OLE stream: BinData/BIN0002.png 386 bytes
SHA-256: 113ff7f1753eb2ff765d427c906935e74ca2273dd4b8e2feada7e8396fcbfb75
BinData_BIN0003.OLE hwp-stream HWP OLE stream: BinData/BIN0003.OLE 3076 bytes
SHA-256: 91d514fd35fdb42132ef642eba3d1355b3ba9758ca9ed9cf2a3b0f1270456828
BinData_BIN0004.OLE hwp-stream HWP OLE stream: BinData/BIN0004.OLE 110084 bytes
SHA-256: 4f7e13849f7e23cb88b3ce8874eee9051688b519442e8b1b844f288b00af01fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_WINEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, CreateThread, GetProcAddress, ExitProcess
BinData_BIN0005.OLE hwp-stream HWP OLE stream: BinData/BIN0005.OLE 3588 bytes
SHA-256: 6684b680c03fb7a331f6d72658172397bf36522d2344abc2b1f37b0311a77cc8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell")
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 6868 bytes
SHA-256: b0b2b16449834a713d9d0a6784e323b15d9ae0db7f5cce1a3e391152a87d728e
DocInfo hwp-stream HWP OLE stream: DocInfo 16153 bytes
SHA-256: 1c7bf580f02e51384aee151b14fd1f3833eb63e5cfbeb711551a62ecc5d2d8c4

Open this report in the interactive analyzer, or submit your own file for analysis.