Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 6067f6d4a8e0fc96…

MALICIOUS

Hangul (OLE)

13.7 KB First seen: 2020-08-10
MD5: c820f1d62c920ba3e2222932898e8810 SHA-1: be299bf389e7cdd0e5b989a6135b66a25aa9cdec SHA-256: 6067f6d4a8e0fc965ef91130c9d4794327be3d86f7c44fc6822ee85def00cfc8
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The HWP document contains embedded JavaScript and references to external URLs, indicating an attempt to redirect the user to malicious content. The JavaScript and embedded URLs likely serve to download and execute a second-stage payload or phish for credentials. The presence of these elements strongly suggests a malicious intent, likely delivered as a spearphishing attachment.

Heuristics 4

  • JavaScript detected high HWP_JAVASCRIPT
    HWP document contains JavaScript references
  • External URL medium HWP_URL
    Found 3 URL(s) in document
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 15070 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ro521.com/test.htm HWP document reference
    • http://j5b.kr/bin/h.jsIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 11524 bytes
SHA-256: cdefb5504fc646eb889540c75ef6ec063dc8115ba0ecf3e661d6f18130f02501
DocInfo hwp-stream HWP OLE stream: DocInfo 3518 bytes
SHA-256: e805fcc9f7d0c63e47e0b3ea251593bd5efb6cfacfca992f99e64e9bcedb19b6

Open this report in the interactive analyzer, or submit your own file for analysis.