MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The OLE file exhibits anomalies including a large slack region and an appended executable-looking payload, indicating it is designed to deliver a secondary malicious component. The presence of OLE and HWP specific streams suggests a document-based attack vector, likely initiated via spearphishing.
Heuristics 3
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 94,208 bytes but its declared streams total only 43,338 bytes — 50,870 bytes (54%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 210873 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 162735 bytes |
SHA-256: b8bd8c1543f09ff26b25285c01c238fdc01c2432abd9af5dfde0a927df0e7556 |
|||
BodyText_Section1 |
hwp-stream | HWP OLE stream: BodyText/Section1 | 22394 bytes |
SHA-256: 9cd647b2aac0327b864b0c322ca97a7a0db4acdbe070c049f91e439e8493aaa3 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 25744 bytes |
SHA-256: 9af3973c8c8718a74c17f264edf55a099f62badfed862a4ba701db6ae605fe5c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.