Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 b2dd7f9bb24428b0…

MALICIOUS

Hangul (OLE)

70.5 KB First seen: 2019-04-18
MD5: 0316f6067bc02c23c1975d83c659da21 SHA-1: 9a301f2a0259bdedb85e2ea4c071534776d471ab SHA-256: b2dd7f9bb24428b0e2ed30b9373fe033d981a29415576b4c654c0d999dd109e5
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The HWP file contains embedded PostScript, identified by the HWP_POSTSCRIPT and HWP_PS_FILE heuristics. This PostScript is likely used to perform file operations such as downloading and executing a secondary payload, as indicated by the suspicious extracted artifact 'BinData_BIN0001.ps'. The embedded PostScript suggests a targeted attack, commonly delivered via spearphishing.

Heuristics 4

  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 81793 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.ps hwp-stream HWP OLE stream: BinData/BIN0001.ps 50289 bytes
SHA-256: c2d77d421d89ee9e1658022facf471b789a8ada5d038ca33bb168740158f0429
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 3287 bytes
SHA-256: 54038c5d1db9064317b9c86dc772c887142601b0be8f1c8312b1ebb387c4a06e
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 5717 bytes
SHA-256: 25463167a8c4476062601394c7b4228d1ac30122d79b1a1f31b04159a6b04d85
BodyText_Section2 hwp-stream HWP OLE stream: BodyText/Section2 5856 bytes
SHA-256: 6bc26c646477f90b191143fca5eeb76a7d29e97c55fc5c442b6d3ddbc0c2af30
BodyText_Section3 hwp-stream HWP OLE stream: BodyText/Section3 1805 bytes
SHA-256: 94a2fb487963bbd046e37f78baaa244d05d306a3f86496eae5bd15689684d7ec
DocInfo hwp-stream HWP OLE stream: DocInfo 14811 bytes
SHA-256: 28737e27ed8d2372f86d8be2fd3ecc63ef6853f60bc0e0af9448df74216ed2cc