MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The HWP file has an appended payload, indicated by the OLE_APPENDED_PAYLOAD heuristic. Additionally, a JavaScript file was extracted, suggesting it may be used to initiate the execution of the appended payload. The presence of shellcode candidate regions further supports the malicious nature of the file.
Heuristics 3
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 10485760 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Extracted artifacts 19
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
Scripts_DefaultJScript.js |
hwp-jscript | HWP Scripts macro: Scripts/DefaultJScript | 140 bytes |
SHA-256: a581bfa9c95a61285fe051e17d1817322c2621f2d94cf2a858dc3ff121bb0609 |
|||
Preview scriptFirst 1,000 lines of the extracted script
O var Documents = XHwpDocuments;
var Document = Documents.Active_XHwpDocument;
/ function OnDocument_New()
{
//todo :
}
|
|||
BinData_BIN0001.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0001.bmp | 478594 bytes |
SHA-256: 39bbb93610ecd6026a1b59a083e52332fd4b465d4f3ab92fffd7e7d97516ba1a |
|||
BinData_BIN0002.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0002.bmp | 226134 bytes |
SHA-256: 32a4a981546c9897b9c3e087d80ef37fb9b23186768e9145b44839c84be63831 |
|||
BinData_BIN0003.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0003.bmp | 486358 bytes |
SHA-256: 4259c035b3d253084ae1160c1da2907e8bfcdb724577b5f418ece1f74a937156 |
|||
BinData_BIN0004.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0004.bmp | 265462 bytes |
SHA-256: c405ea191680bd09bd1afb6a51f5e0fd0cfa328d3c6c5418237c264c77859540 |
|||
BinData_BIN0005.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0005.bmp | 488030 bytes |
SHA-256: 42ebd91b9ad2d95f77d88bfe914b00325af74572dc841a1df118cf1021a8982c |
|||
BinData_BIN0006.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0006.bmp | 264654 bytes |
SHA-256: b13ae45faee0926a3d8729d6a00ca5e1e64ec6fbf917fd78fe958f629612c6ce |
|||
BinData_BIN0007.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0007.bmp | 504206 bytes |
SHA-256: e8fa90544447fe96b830614d826e9d005e9f102cef020be33ad17969f63ffbfa |
|||
BinData_BIN0008.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0008.bmp | 238250 bytes |
SHA-256: f03cae3e842a83c82c28d1723cff88d9fc0229d7795eb240666a2c16bad1dfc9 |
|||
BinData_BIN0009.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0009.bmp | 476446 bytes |
SHA-256: e1bb1acd46d981472e0fbb77a31b77eedca6864cc576e2b5bd2e45ed31a175b3 |
|||
BinData_BIN000A.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000A.bmp | 300894 bytes |
SHA-256: 8ec60f20d4809eba60f8448f9fd48968c3ca9133aa4e0d5f1e698b62c2e27529 |
|||
BinData_BIN000B.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000B.bmp | 460870 bytes |
SHA-256: 71d91dda1ae62e6bc3b9f77ef1abd3e8be978c98e926d38198751a97f4b99986 |
|||
BinData_BIN000C.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000C.bmp | 303750 bytes |
SHA-256: 61092e76b640929044a765c4ec5b0a4bb079f14e20b7a645c6b13453b8db7d97 |
|||
BinData_BIN000D.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000D.bmp | 486918 bytes |
SHA-256: ebf23e0051c2ad169eb3fa77fe614af0778e9f23ea79c454f33918f7314e80b0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, heap spray 0x06
|
|||
BinData_BIN000E.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000E.bmp | 487326 bytes |
SHA-256: 3406e0f71c53fb415808cbf98e7b9839f5c7817710eb0a215cf53370bc2f920f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x07
|
|||
BinData_BIN000F.bmp |
hwp-stream | HWP OLE stream: BinData/BIN000F.bmp | 329714 bytes |
SHA-256: e0cbc1667bd2e6528a4d2c2fb12bd86a77f3206ee6f09fc7273a2080abaf8815 |
|||
BinData_BIN0010.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0010.bmp | 868518 bytes |
SHA-256: c5909bbf2cabcd0dccb6ee0e4cb71ce0c02e8f973e589f80d34eff15d370b98c |
|||
BinData_BIN0011.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0011.bmp | 2097152 bytes |
SHA-256: 9def4a72b16722c64103ceb13f4dead839cdb4c8ef7ac233c70557f401c3b5a9 |
|||
BinData_BIN0012.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0012.bmp | 2097152 bytes |
SHA-256: 63507581346b8cbd9dc29966acf3bc3b50464ae57f1d61be0e235d017035d5a5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.