Win.Trojan.GhostPuppet-6712722-3 — Hangul (OLE) malware analysis

Static analysis result for SHA-256 a299bdc3fc07def4…

MALICIOUS

Hangul (OLE)

222.5 KB First seen: 2019-11-20
MD5: f392492ef5ea1b399b4c0af38810b0d6 SHA-1: b59c5b8b9f2c0676c31a88abd9653f1630d8d77d SHA-256: a299bdc3fc07def4b0d5a409484f4717884a78749796960a560a9b30fab2435b
144 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The HWP document contains embedded PostScript code, identified by the HWP_POSTSCRIPT and HWP_PS_FILE heuristics, which is a known exploit surface. ClamAV detection confirms this as Win.Trojan.GhostPuppet-6712722-3. The embedded PostScript file (BinData_BIN0005.PS) and the presence of JavaScript suggest the document is designed to execute malicious code, likely as a spearphishing attachment.

Heuristics 5

  • ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 1577874 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.jpg hwp-stream HWP OLE stream: BinData/BIN0001.jpg 30228 bytes
SHA-256: 491f039132d41bb60a58c9abcccd82c3c53510226e46c0a96347575a7bde244c
BinData_BIN0002.jpg hwp-stream HWP OLE stream: BinData/BIN0002.jpg 27191 bytes
SHA-256: 9450452e7ba596440184d163ed21490658b651582aedb831f68966f6b4a30476
BinData_BIN0003.bmp hwp-stream HWP OLE stream: BinData/BIN0003.bmp 1331846 bytes
SHA-256: aa62eb29b8397fc73512d00f4902e665e3db9eb819a090bf13d294827498ae6f
BinData_BIN0004.jpg hwp-stream HWP OLE stream: BinData/BIN0004.jpg 111950 bytes
SHA-256: 26aab8cad966173e81c2a738218c512cb60af0b12278365f7ad43a49a441ca7b
BinData_BIN0005.PS hwp-stream HWP OLE stream: BinData/BIN0005.PS 50277 bytes
SHA-256: bbd9c0ae7398a3d4c95f6e3146719cb2e76b6973a0a47d4c76bcd2d1f978aeab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 686 bytes
SHA-256: 99f10305f0dc3104ffab7a4d52eaa938e42f80cd223567381ca0777df51f1951
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 15541 bytes
SHA-256: fd31434707ab8b1522bf7b98cf3499725a3f9fadfcb8f6d77348cc00c0dfff02
DocInfo hwp-stream HWP OLE stream: DocInfo 9875 bytes
SHA-256: ca0dc9eb13164076a56622ab8337d767ef0ff7485ddd465349a8b31ad3bcbf5b
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4