Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 7050af905f1696b2…

MALICIOUS

Hangul (OLE)

145.5 KB
MD5: 8451be72b75a38516e7ba7972729909e SHA-1: 45de8115b49ef68915e868138c04da375dfb7096 SHA-256: 7050af905f1696b2b8cdb4c6e6805a618addf5acfbd4edc3fc807a663016ab26
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The HWP document contains embedded PostScript, identified by the HWP_POSTSCRIPT and HWP_PS_FILE heuristics. This PostScript is capable of file operations, indicating a likely dropper or exploit delivery mechanism. ClamAV detections on both the primary file and an extracted artifact (Win.Trojan.Dropper-9787492-1) confirm its malicious nature. The primary SHA256 hash is included as an IOC.

Heuristics 6

  • ClamAV: Win.Trojan.Dropper-9787492-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dropper-9787492-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 188086 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.png
09c0a7bad009482eeaf58e125fc50362bc1cab605336e51bcdd912cedae77c42		 hwp-stream HWP OLE stream: BinData/BIN0001.png 26953 bytes
BinData_BIN0002.png
8d4d3f422e16ebc9ae16ed58f6b55988fe9197cbbcec155ec53faa303b51a68d		 hwp-stream HWP OLE stream: BinData/BIN0002.png 64889 bytes
BinData_BIN0003.jpg
74011a1810185455d9c8047c84a51ccfb9f3206f4f53e9586e684dec55c7220e		 hwp-stream HWP OLE stream: BinData/BIN0003.jpg 31682 bytes
BinData_BIN0004.jpg
04beb1abed85234d5163b131644f2e662bea215fe6af1567521be54713f55a2f		 hwp-stream HWP OLE stream: BinData/BIN0004.jpg 18376 bytes
BinData_BIN0005.ps
ca47eb3a62a19e378b15b5714fcf61cfec528d8e27a71ed414d1128658671c8c		 hwp-stream HWP OLE stream: BinData/BIN0005.ps 18032 bytes
Detection
ClamAV: Win.Trojan.Dropper-9787492-1
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0
b5c8fd41d842d90f298f0e35323f282f691752f4221471f4aa548a98d3020852		 hwp-stream HWP OLE stream: BodyText/Section0 11517 bytes
DocInfo
0862798ed6133a6825bbb756a9e73160f274707b0beb054d31be3538df00c96e		 hwp-stream HWP OLE stream: DocInfo 16609 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.