Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 a2d1446fe744c0dc…

MALICIOUS

Hangul (OLE)

352.0 KB First seen: 2019-09-30
MD5: a576fa84baba9567ccafcc9edf3e689e SHA-1: 2f49b5277d44b262855618a6d0f3affede3d9057 SHA-256: a2d1446fe744c0dc2949c3ae123e5ebd9a121123ad31d09a64ad0396bc0c1610
584 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The file is an HWP document containing embedded objects, including a PE executable and a Flash SWF file. Heuristics indicate the use of process injection APIs (CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, CreateRemoteThread, LoadLibrary, GetProcAddress), suggesting the embedded executable is designed to be run. ClamAV detections further confirm its malicious nature as a dropper and spyware. The presence of embedded executables and API calls for process manipulation strongly indicates a payload delivery mechanism.

Heuristics 13

  • ClamAV: Win.Dropper.Scar-9879231-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Scar-9879231-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Embedded PE executable critical HWP_EMBEDDED_PE
    PE executable found inside HWP document
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 326518 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002a00.exe embedded-pe Office MZ+PE at offset 0x2A00 349696 bytes
SHA-256: a42bbbacaf26dd692a03fdc252f730ae85a292618aae5ee86b49970c27d32ba2
Detection
ClamAV: Win.Spyware.Onlinegames-18853
Obfuscation or payload: unlikely
BinData_BIN0001.jpg hwp-stream HWP OLE stream: BinData/BIN0001.jpg 7231 bytes
SHA-256: 33f7ee1602f5c6fc42dd5989ae7c7a8e01f78c87e250b2add6d55ebe7e900180
BinData_BIN0002.swf hwp-stream HWP OLE stream: BinData/BIN0002.swf 3862 bytes
SHA-256: e7b9c6f5ae2e93df18a4f6909ac673ccd4cb360a23c578120e0db661a54ef88e
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 23014 bytes
SHA-256: c5f7bc5636c88efd68549732f93601e75a5d83b84697a6f9c16b829928035b5b
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 278016 bytes
SHA-256: 5d0d5b4d32cc5ac4ef5db293530a96c2d778183acfd3888ef0b6a9d7794241b7
Detection
ClamAV: Win.Spyware.Onlinegames-18853
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
DocInfo hwp-stream HWP OLE stream: DocInfo 14367 bytes
SHA-256: c2a117c9a16c08bd1dea014c91d24bb26c023b45182fc30e05315218f125ac7f