Hangul (OLE) malware analysis — malicious · 6d4a79a3b0645a54

MALICIOUS

Hangul (OLE)

46.9 KB First seen: 2021-06-13

MD5: f86d39832b825a1dc9caab851a66b38c SHA-1: 1e47d1b1061b56a92cfffcf450731648213bda77 SHA-256: 6d4a79a3b0645a54e48c710a3eaad4ec30bb80358b11d0cd5ea130a401659464

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The HWP document contains embedded JavaScript, which is a common technique for delivering malicious payloads. The JavaScript likely attempts to download and execute a second-stage payload from one of the extracted URLs, such as http://j5b.kr/bin/h.js. The presence of external URLs further supports the payload delivery hypothesis.

Heuristics 4

JavaScript detected high HWP_JAVASCRIPT

HWP document contains JavaScript references
External URL medium HWP_URL

Found 5 URL(s) in document
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED

Inflated 112181 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.ro521.com/test.htm HWP document reference
- http://j5b.kr/bin/h.jsIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`BodyText_Section0`	hwp-stream	HWP OLE stream: BodyText/Section0	109138 bytes
SHA-256: `c9689915307b4bb4f296305efcc49df51700f599d5b1b9dde7e793f5f09c3391`
`DocInfo`	hwp-stream	HWP OLE stream: DocInfo	2763 bytes
SHA-256: `541583555e34263af54e456a74428ea350c744ef860cc711c3ce05686b426865`
`Scripts_DefaultJScript`	hwp-stream	HWP OLE stream: Scripts/DefaultJScript	272 bytes
SHA-256: `e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4`

Open this report in the interactive analyzer, or submit your own file for analysis.