Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 6f5161cbab1ea376…

MALICIOUS

Hangul (OLE)

212.2 KB First seen: 2015-09-20
MD5: 008a1b8b7b07e1a5defbb2638e658e30 SHA-1: f9a862c1b88c4321afb6392ad53a847e117958f7 SHA-256: 6f5161cbab1ea3761b636c62d9dea71b1abac7f98967f6611ce67a17640a6cfa
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is an OLE document with a large appended payload, indicating it's likely a dropper. Heuristics indicate an appended executable payload and an anomaly in the OLE structure. While no specific URLs or scripts were directly readable, the presence of appended executable content strongly suggests the file's purpose is to download and execute a secondary malicious payload, likely delivered via spearphishing.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 217,306 bytes but its declared streams total only 71,194 bytes — 146,112 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 10485760 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Scripts_DefaultJScript.js hwp-jscript HWP Scripts macro: Scripts/DefaultJScript 140 bytes
SHA-256: a581bfa9c95a61285fe051e17d1817322c2621f2d94cf2a858dc3ff121bb0609
Preview script
First 1,000 lines of the extracted script
O var Documents = XHwpDocuments;
var Document = Documents.Active_XHwpDocument;
/ function OnDocument_New()
{
	//todo : 
}

    ￿￿
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 3354 bytes
SHA-256: bba5011eda5fd843472900a845eb4983ea04b7357e087a74ca17ec74110a48e9
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 2097152 bytes
SHA-256: 8af175c172bd4d76a8953c09d49eb17ff666b504c6b04caee28935719276589d