MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The HWP document contains embedded PostScript code, identified by the HWP_POSTSCRIPT and HWP_PS_FILE heuristics, which is a known exploit surface. ClamAV detection confirms this as Win.Trojan.GhostPuppet-6712722-3. The embedded PostScript file (BinData_BIN0005.PS) and the presence of JavaScript suggest the document is designed to execute malicious code, likely as a spearphishing attachment.
Heuristics 5
-
ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
-
Embedded PostScript / EPS high HWP_POSTSCRIPTHWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
-
PostScript file operation high HWP_PS_FILEPostScript file operation found (file/run/deletefile)
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 1577874 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BinData_BIN0001.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0001.jpg | 30228 bytes |
SHA-256: 491f039132d41bb60a58c9abcccd82c3c53510226e46c0a96347575a7bde244c |
|||
BinData_BIN0002.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0002.jpg | 27191 bytes |
SHA-256: 9450452e7ba596440184d163ed21490658b651582aedb831f68966f6b4a30476 |
|||
BinData_BIN0003.bmp |
hwp-stream | HWP OLE stream: BinData/BIN0003.bmp | 1331846 bytes |
SHA-256: aa62eb29b8397fc73512d00f4902e665e3db9eb819a090bf13d294827498ae6f |
|||
BinData_BIN0004.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0004.jpg | 111950 bytes |
SHA-256: 26aab8cad966173e81c2a738218c512cb60af0b12278365f7ad43a49a441ca7b |
|||
BinData_BIN0005.PS |
hwp-stream | HWP OLE stream: BinData/BIN0005.PS | 50277 bytes |
SHA-256: bbd9c0ae7398a3d4c95f6e3146719cb2e76b6973a0a47d4c76bcd2d1f978aeab |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 686 bytes |
SHA-256: 99f10305f0dc3104ffab7a4d52eaa938e42f80cd223567381ca0777df51f1951 |
|||
BodyText_Section1 |
hwp-stream | HWP OLE stream: BodyText/Section1 | 15541 bytes |
SHA-256: fd31434707ab8b1522bf7b98cf3499725a3f9fadfcb8f6d77348cc00c0dfff02 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 9875 bytes |
SHA-256: ca0dc9eb13164076a56622ab8337d767ef0ff7485ddd465349a8b31ad3bcbf5b |
|||
Scripts_DefaultJScript |
hwp-stream | HWP OLE stream: Scripts/DefaultJScript | 272 bytes |
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.