Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 7aba0a6a410a7434…

MALICIOUS

Hangul (OLE)

2.44 MB First seen: 2015-01-15
MD5: 075a72939b291f15d3b96f3b817600a5 SHA-1: 121a745a21be4c33e4f8deb1041739584a5a506e SHA-256: 7aba0a6a410a74345a2c9baab1403398ea22e549e0642dadb5ffec87be1c192b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The HWP file has an appended payload, indicated by the OLE_APPENDED_PAYLOAD heuristic. Additionally, a JavaScript file was extracted, suggesting it may be used to initiate the execution of the appended payload. The presence of shellcode candidate regions further supports the malicious nature of the file.

Heuristics 3

  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 10485760 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Scripts_DefaultJScript.js hwp-jscript HWP Scripts macro: Scripts/DefaultJScript 140 bytes
SHA-256: a581bfa9c95a61285fe051e17d1817322c2621f2d94cf2a858dc3ff121bb0609
Preview script
First 1,000 lines of the extracted script
O var Documents = XHwpDocuments;
var Document = Documents.Active_XHwpDocument;
/ function OnDocument_New()
{
	//todo : 
}

    ￿￿
BinData_BIN0001.bmp hwp-stream HWP OLE stream: BinData/BIN0001.bmp 478594 bytes
SHA-256: 39bbb93610ecd6026a1b59a083e52332fd4b465d4f3ab92fffd7e7d97516ba1a
BinData_BIN0002.bmp hwp-stream HWP OLE stream: BinData/BIN0002.bmp 226134 bytes
SHA-256: 32a4a981546c9897b9c3e087d80ef37fb9b23186768e9145b44839c84be63831
BinData_BIN0003.bmp hwp-stream HWP OLE stream: BinData/BIN0003.bmp 486358 bytes
SHA-256: 4259c035b3d253084ae1160c1da2907e8bfcdb724577b5f418ece1f74a937156
BinData_BIN0004.bmp hwp-stream HWP OLE stream: BinData/BIN0004.bmp 265462 bytes
SHA-256: c405ea191680bd09bd1afb6a51f5e0fd0cfa328d3c6c5418237c264c77859540
BinData_BIN0005.bmp hwp-stream HWP OLE stream: BinData/BIN0005.bmp 488030 bytes
SHA-256: 42ebd91b9ad2d95f77d88bfe914b00325af74572dc841a1df118cf1021a8982c
BinData_BIN0006.bmp hwp-stream HWP OLE stream: BinData/BIN0006.bmp 264654 bytes
SHA-256: b13ae45faee0926a3d8729d6a00ca5e1e64ec6fbf917fd78fe958f629612c6ce
BinData_BIN0007.bmp hwp-stream HWP OLE stream: BinData/BIN0007.bmp 504206 bytes
SHA-256: e8fa90544447fe96b830614d826e9d005e9f102cef020be33ad17969f63ffbfa
BinData_BIN0008.bmp hwp-stream HWP OLE stream: BinData/BIN0008.bmp 238250 bytes
SHA-256: f03cae3e842a83c82c28d1723cff88d9fc0229d7795eb240666a2c16bad1dfc9
BinData_BIN0009.bmp hwp-stream HWP OLE stream: BinData/BIN0009.bmp 476446 bytes
SHA-256: e1bb1acd46d981472e0fbb77a31b77eedca6864cc576e2b5bd2e45ed31a175b3
BinData_BIN000A.bmp hwp-stream HWP OLE stream: BinData/BIN000A.bmp 300894 bytes
SHA-256: 8ec60f20d4809eba60f8448f9fd48968c3ca9133aa4e0d5f1e698b62c2e27529
BinData_BIN000B.bmp hwp-stream HWP OLE stream: BinData/BIN000B.bmp 460870 bytes
SHA-256: 71d91dda1ae62e6bc3b9f77ef1abd3e8be978c98e926d38198751a97f4b99986
BinData_BIN000C.bmp hwp-stream HWP OLE stream: BinData/BIN000C.bmp 303750 bytes
SHA-256: 61092e76b640929044a765c4ec5b0a4bb079f14e20b7a645c6b13453b8db7d97
BinData_BIN000D.bmp hwp-stream HWP OLE stream: BinData/BIN000D.bmp 486918 bytes
SHA-256: ebf23e0051c2ad169eb3fa77fe614af0778e9f23ea79c454f33918f7314e80b0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, heap spray 0x06
BinData_BIN000E.bmp hwp-stream HWP OLE stream: BinData/BIN000E.bmp 487326 bytes
SHA-256: 3406e0f71c53fb415808cbf98e7b9839f5c7817710eb0a215cf53370bc2f920f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x07
BinData_BIN000F.bmp hwp-stream HWP OLE stream: BinData/BIN000F.bmp 329714 bytes
SHA-256: e0cbc1667bd2e6528a4d2c2fb12bd86a77f3206ee6f09fc7273a2080abaf8815
BinData_BIN0010.bmp hwp-stream HWP OLE stream: BinData/BIN0010.bmp 868518 bytes
SHA-256: c5909bbf2cabcd0dccb6ee0e4cb71ce0c02e8f973e589f80d34eff15d370b98c
BinData_BIN0011.bmp hwp-stream HWP OLE stream: BinData/BIN0011.bmp 2097152 bytes
SHA-256: 9def4a72b16722c64103ceb13f4dead839cdb4c8ef7ac233c70557f401c3b5a9
BinData_BIN0012.bmp hwp-stream HWP OLE stream: BinData/BIN0012.bmp 2097152 bytes
SHA-256: 63507581346b8cbd9dc29966acf3bc3b50464ae57f1d61be0e235d017035d5a5