Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 281828d6f5bd377f…

MALICIOUS

Hangul (OLE)

282.0 KB
MD5: 44bdeb6c0af7c36a08c64e31ceadc63c SHA-1: 7457e355407a0ecc7b5e676cafde242af33a0c82 SHA-256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The file is identified as malicious by ClamAV with multiple critical detections. A critical heuristic indicates the presence of a shell command reference to 'wscript', suggesting the execution of scripts. While no specific script content is detailed, the overall evidence points to a malicious file likely employing script execution for its payload delivery or execution.

Heuristics 4

  • Shell command reference critical HWP_SHELL_CMD
    Found reference to 'wscript' in document
  • ClamAV: Win.Trojan.Malear-5900670-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Malear-5900670-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 397372 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.png
eb9d912b151532e7e826b251a441dab648e14b620d5f5135219598839a5a555d		 hwp-stream HWP OLE stream: BinData/BIN0001.png 1367 bytes
BinData_BIN0002.png
fa12e9c4a800b71ab8e60ff906e6d03dc19369dada74e31eee9209eff3bf28e9		 hwp-stream HWP OLE stream: BinData/BIN0002.png 1429 bytes
BinData_BIN0003.OLE
df898d05a5d66ad3e3fa44483882cf53f1d84887c30f8d27d7bfb54ca9191236		 hwp-stream HWP OLE stream: BinData/BIN0003.OLE 163844 bytes
Detection
ClamAV: Win.Trojan.Malear-5900669-0
Obfuscation or payload: unlikely
BinData_BIN0004.OLE
c9dca06123dcade7bf1f9dbc8680d76f77fb315a609a1bc06c012f4145fe0909		 hwp-stream HWP OLE stream: BinData/BIN0004.OLE 163844 bytes
Detection
ClamAV: Win.Trojan.Malear-5900669-0
Obfuscation or payload: unlikely
BinData_BIN0005.jpg
06af1b34dea69f5a688bfe6dc85d28ff70c800bbbe32ce9d43b9a8cea739c7c8		 hwp-stream HWP OLE stream: BinData/BIN0005.jpg 4747 bytes
BinData_BIN0006.jpg
a57772adaa67f2b90b3f65b2214c27a7cb7277ee8daaffb33efb207e412b8d1b		 hwp-stream HWP OLE stream: BinData/BIN0006.jpg 4772 bytes
BodyText_Section0
107a9e68b6775d747c808d70663a4907738720197a50bdd4ac66cabce5d5a133		 hwp-stream HWP OLE stream: BodyText/Section0 31196 bytes
DocInfo
9477dff0198cf563569e9d4172eb7d174f14469e36d02b97bc5f356cbaecb9fc		 hwp-stream HWP OLE stream: DocInfo 25893 bytes
Scripts_DefaultJScript
e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4		 hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.