MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The HWP file contains embedded PostScript, identified by the HWP_POSTSCRIPT and HWP_PS_FILE heuristics. This PostScript is likely used to perform file operations such as downloading and executing a secondary payload, as indicated by the suspicious extracted artifact 'BinData_BIN0001.ps'. The embedded PostScript suggests a targeted attack, commonly delivered via spearphishing.
Heuristics 4
-
Embedded PostScript / EPS high HWP_POSTSCRIPTHWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
-
PostScript file operation high HWP_PS_FILEPostScript file operation found (file/run/deletefile)
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 81793 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BinData_BIN0001.ps |
hwp-stream | HWP OLE stream: BinData/BIN0001.ps | 50289 bytes |
SHA-256: c2d77d421d89ee9e1658022facf471b789a8ada5d038ca33bb168740158f0429 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 3287 bytes |
SHA-256: 54038c5d1db9064317b9c86dc772c887142601b0be8f1c8312b1ebb387c4a06e |
|||
BodyText_Section1 |
hwp-stream | HWP OLE stream: BodyText/Section1 | 5717 bytes |
SHA-256: 25463167a8c4476062601394c7b4228d1ac30122d79b1a1f31b04159a6b04d85 |
|||
BodyText_Section2 |
hwp-stream | HWP OLE stream: BodyText/Section2 | 5856 bytes |
SHA-256: 6bc26c646477f90b191143fca5eeb76a7d29e97c55fc5c442b6d3ddbc0c2af30 |
|||
BodyText_Section3 |
hwp-stream | HWP OLE stream: BodyText/Section3 | 1805 bytes |
SHA-256: 94a2fb487963bbd046e37f78baaa244d05d306a3f86496eae5bd15689684d7ec |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 14811 bytes |
SHA-256: 28737e27ed8d2372f86d8be2fd3ecc63ef6853f60bc0e0af9448df74216ed2cc |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.