Win.Trojan.GhostPuppet-6712722-3 Hangul (OLE) malware analysis — malicious · 596fbdf01557c3ec

MALICIOUS

Hangul (OLE)

134.0 KB First seen: 2019-04-18

MD5: cf09201f02f2edb9c555942a2d6b01d4 SHA-1: b9ed5a79b36d4a12f8899c01f9a2c19dd9bb5378 SHA-256: 596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6

324 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The HWP file contains embedded PostScript code that utilizes a Ghostscript SAFER bypass (CVE-2017-8291) via a '.eqproc' operator and hex-to-code execution. This pattern is indicative of an exploit that decodes and executes arbitrary code, commonly used to stage further malicious activity. ClamAV also identifies this as Win.Trojan.GhostPuppet-6712722-3.

Heuristics 8

Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291

Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents. The .eqproc operator was found after decoding '<HEX> cvx exec' staging.
ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
PostScript exec command critical HWP_PS_EXEC

PostScript 'exec' operator found — can execute arbitrary code
PostScript runtime hex-to-code execution critical HWP_PS_CVX_EXEC

Found 3 '<HEX> cvx exec' sequence(s) — PostScript decoded from hex strings and executed at runtime; classic exploit-staging pattern.
Embedded PostScript / EPS high HWP_POSTSCRIPT

HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
PostScript file operation high HWP_PS_FILE

PostScript file operation found (file/run/deletefile)
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED

Inflated 416366 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`BinData_BIN0001.png`	hwp-stream	HWP OLE stream: BinData/BIN0001.png	5310 bytes
SHA-256: `0d0614e134c0fb4aea5b9484a93071e0f7826e55e23dc0145e935d42afbcd7a0`
`BinData_BIN0002.bmp`	hwp-stream	HWP OLE stream: BinData/BIN0002.bmp	322866 bytes
SHA-256: `be51ca9774dbb149955568d254235ec182d40bcee1e9bd0ce1e16fd85f71a400`
`BinData_BIN0003.jpg`	hwp-stream	HWP OLE stream: BinData/BIN0003.jpg	21392 bytes
SHA-256: `a7d40fce911f187312c1267f31e2d2fcd5fdb78f9a4afd415846024cf51d0ddb`
`BinData_BIN0004.PS`	hwp-stream	HWP OLE stream: BinData/BIN0004.PS	25538 bytes
SHA-256: `fd9b10831f960db35fd4432cdda3953dbaf8cd9262bf70bd99a8404a5e30291d`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`BodyText_Section0`	hwp-stream	HWP OLE stream: BodyText/Section0	686 bytes
SHA-256: `8cfc359ceaafcb909299e907059f3813a10579ec2833a420ac0176879a6ef540`
`BodyText_Section1`	hwp-stream	HWP OLE stream: BodyText/Section1	14142 bytes
SHA-256: `77f9ce74442e4afe59d4fb5d7019285f2a4a8090409f1d6d7d7b66f584d07f6c`
`BodyText_Section2`	hwp-stream	HWP OLE stream: BodyText/Section2	3440 bytes
SHA-256: `72a4894b25a61686656e22f4933b77fc45cf090628e0baf7f17cf7691fce160f`
`DocInfo`	hwp-stream	HWP OLE stream: DocInfo	22716 bytes
SHA-256: `a30eab38416d5dd4556e9f51a44ad4b0e20e1920945ac2b09ec7f8de64375b44`
`Scripts_DefaultJScript`	hwp-stream	HWP OLE stream: Scripts/DefaultJScript	268 bytes
SHA-256: `1ef5258bef33ff82a45bae4660ff19081c6965f9fb82738911390efff4cda5f5`

Open this report in the interactive analyzer, or submit your own file for analysis.