MALICIOUS
106
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The sample is an OLE file that contains JavaScript, which is a strong indicator of malicious intent. The presence of an appended payload and high-entropy carved artifacts further suggests that the document is designed to download and execute a second-stage payload. The embedded URLs, while benign, are part of the document's structure.
Heuristics 6
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
JavaScript detected high HWP_JAVASCRIPTHWP document contains JavaScript references
-
External URL medium HWP_URLFound 16 URL(s) in document
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 7408116 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ HWP document reference
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/g/img/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#In document text (OLE body)
- http://ns.adobe.com/illustrator/1.0/In document text (OLE body)
- http://ns.adobe.com/pdf/1.3/In document text (OLE body)
Extracted artifacts 29
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BinData_BIN0001.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0001.jpg | 6656 bytes |
SHA-256: c99ff36c6766f6c8480f0788bf880e72be9dbf6cc475d47813e6b10ac28f1eb7 |
|||
BinData_BIN0002.png |
hwp-stream | HWP OLE stream: BinData/BIN0002.png | 120077 bytes |
SHA-256: 0b8c610ca8a917dcfa904069a47a180faa39654e7d2c64cc823bb257eb6a207d |
|||
BinData_BIN0003.png |
hwp-stream | HWP OLE stream: BinData/BIN0003.png | 490050 bytes |
SHA-256: 4636303f398ad9e48b44dc4ef43e55b4eabd621330f178ffd36784037d55ee31 |
|||
BinData_BIN0004.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0004.jpg | 412588 bytes |
SHA-256: 7890231af1aa09e38a6e801423a719b6c428f7df113f8e701c19cdd6d3cdd474 |
|||
BinData_BIN0005.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0005.jpg | 9410 bytes |
SHA-256: bf07c1600072aa3439c5d205d7407accd2ca25f6a2d4eb90913f13763712afb6 |
|||
BinData_BIN0006.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0006.jpg | 4408 bytes |
SHA-256: bd703c8a88670edf45a43f3320d452e30a48b0175559aa6bc8219209e4acf8b7 |
|||
BinData_BIN0007.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0007.bmp | 282462 bytes |
SHA-256: 47e6ef1ca2d3a8f91c5734ccf0faf709faa143cf4c353c702fbd7bdcfde87897 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.63, consistent with packed or encrypted content.
|
|||
BinData_BIN0008.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0008.bmp | 236262 bytes |
SHA-256: 0c3e06f3b79e3ac99a8117ba9d1b34c874e3fdd6793c0cff7360b8a87d7286c7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
|
|||
BinData_BIN0009.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0009.bmp | 677334 bytes |
SHA-256: 3765095126608d204c294a7ce319c57250f0ae028583fed8612b019f9d5eba43 |
|||
BinData_BIN000A.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000A.bmp | 128342 bytes |
SHA-256: 9106068177bc8d89440631c91a1f04ed99d4398df5aa6a89e38b2ec4dfa00562 |
|||
BinData_BIN000B.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000B.bmp | 224182 bytes |
SHA-256: c3bd526a59a958ca59e5ec7345ae6fb52aab08f8c7ece21b51b36c9e19b88783 |
|||
BinData_BIN000C.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000C.bmp | 123318 bytes |
SHA-256: fc7aeaaf927e643865b87fd69a5abe727b848f57e22ba5ba46461ab579b6f9e9 |
|||
BinData_BIN000D.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000D.bmp | 118350 bytes |
SHA-256: 51023d7003c1efdb89debb8827394deee9a5d2fc80efa26aba6a5c63dd0b3015 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.
|
|||
BinData_BIN000E.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000E.bmp | 124302 bytes |
SHA-256: b6249531b7f840dba043ee4600187abf3078777be44f60e10e2e35ae7963795c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.78, consistent with packed or encrypted content.
|
|||
BinData_BIN000F.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000F.bmp | 1101814 bytes |
SHA-256: 45d51e396204882f517d9eb6d33284e26506bd2b753d183aab1f81e22bfce9d0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.53, consistent with packed or encrypted content.
|
|||
BinData_BIN0010.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0010.bmp | 111318 bytes |
SHA-256: 687f1ecd77ccccc48b4db5d14d8b98385762bf820c4ba396ef41621f547a7dbb |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.62, consistent with packed or encrypted content.
|
|||
BinData_BIN0011.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0011.bmp | 107798 bytes |
SHA-256: 68bc5da8cef1729172f3b4bcc97f9eccbde63e2ece1c102bdcd92af7d269a72f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
|
|||
BinData_BIN0012.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0012.bmp | 185286 bytes |
SHA-256: 8389e744594e4cfc637204774d71ba6e17720f0f5841a7d383c0be03b2e0c5aa |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.62, consistent with packed or encrypted content.
|
|||
BinData_BIN0013.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0013.bmp | 96822 bytes |
SHA-256: 4c52eba8ab7a6ca4fa915191ce4f7006056ed52c2203b45e87f1d353a5c399e8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
|
|||
BinData_BIN0014.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0014.jpg | 14247 bytes |
SHA-256: f705244cfb0b53a68eea2786781c8267ab4c841b908da209dfab83dcfdf3dbdd |
|||
BinData_BIN0015.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0015.bmp | 2097152 bytes |
SHA-256: 4d522e905d05e768a06c8e1cabda2f1f5a055fb41034e0b91c92a83880f7828c |
|||
BinData_BIN0016.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0016.bmp | 131354 bytes |
SHA-256: 4ffc77ae22f68a1e372101010561840058fd2bab5f43a0125711ca3fb22b65e6 |
|||
BinData_BIN0017.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0017.jpg | 33792 bytes |
SHA-256: 0043fd19880b861ddbdd7bd0ffd6863b35b4db95c27049f8e19e16306dc84363 |
|||
BinData_BIN0018.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0018.bmp | 157494 bytes |
SHA-256: 0cfee3f4d5a4c841b96f53cb1a04199a7e7f74ca2b5827370db8ef9b2e46cc19 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.52, consistent with packed or encrypted content.
|
|||
BinData_BIN0019.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0019.jpg | 18376 bytes |
SHA-256: 04beb1abed85234d5163b131644f2e662bea215fe6af1567521be54713f55a2f |
|||
BinData_BIN001A.bmp |
hwp-stream | HWP OLE stream: BinData/BIN001A.bmp | 187254 bytes |
SHA-256: bd007767f0aef7a98085f51c0c8a89743007b16f2eeba614c66b0c9bf1fbffd9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.71, consistent with packed or encrypted content.
|
|||
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 175407 bytes |
SHA-256: ee57d92d83223d3755060a31d892b6355aa68e2b735f7d39318272ad28364536 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 31981 bytes |
SHA-256: bdc33d76064988a94e747912617c82cd01013837553c5a661ce1bff8fe1421c0 |
|||
Scripts_DefaultJScript |
hwp-stream | HWP OLE stream: Scripts/DefaultJScript | 272 bytes |
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.