MALICIOUS
584
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1027 Obfuscated Files or Information
T1105 Ingress Tool Transfer
The file is an HWP document containing embedded objects, including a PE executable and a Flash SWF file. Heuristics indicate the use of process injection APIs (CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, CreateRemoteThread, LoadLibrary, GetProcAddress), suggesting the embedded executable is designed to be run. ClamAV detections further confirm its malicious nature as a dropper and spyware. The presence of embedded executables and API calls for process manipulation strongly indicates a payload delivery mechanism.
Heuristics 13
-
ClamAV: Win.Dropper.Scar-9879231-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Dropper.Scar-9879231-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWFDocument contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
-
Embedded PE executable critical HWP_EMBEDDED_PEPE executable found inside HWP document
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 326518 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00002a00.exe |
embedded-pe | Office MZ+PE at offset 0x2A00 | 349696 bytes |
SHA-256: a42bbbacaf26dd692a03fdc252f730ae85a292618aae5ee86b49970c27d32ba2 |
|||
|
Detection
ClamAV:
Win.Spyware.Onlinegames-18853
Obfuscation or payload:
unlikely
|
|||
BinData_BIN0001.jpg |
hwp-stream | HWP OLE stream: BinData/BIN0001.jpg | 7231 bytes |
SHA-256: 33f7ee1602f5c6fc42dd5989ae7c7a8e01f78c87e250b2add6d55ebe7e900180 |
|||
BinData_BIN0002.swf |
hwp-stream | HWP OLE stream: BinData/BIN0002.swf | 3862 bytes |
SHA-256: e7b9c6f5ae2e93df18a4f6909ac673ccd4cb360a23c578120e0db661a54ef88e |
|||
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 23014 bytes |
SHA-256: c5f7bc5636c88efd68549732f93601e75a5d83b84697a6f9c16b829928035b5b |
|||
BodyText_Section1 |
hwp-stream | HWP OLE stream: BodyText/Section1 | 278016 bytes |
SHA-256: 5d0d5b4d32cc5ac4ef5db293530a96c2d778183acfd3888ef0b6a9d7794241b7 |
|||
|
Detection
ClamAV:
Win.Spyware.Onlinegames-18853
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 14367 bytes |
SHA-256: c2a117c9a16c08bd1dea014c91d24bb26c023b45182fc30e05315218f125ac7f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.