Win.Trojan.GhostPuppet-6712722-3 — Hangul (OLE) malware analysis

Static analysis result for SHA-256 c6abfabb47d4c19c…

MALICIOUS

Hangul (OLE)

3.64 MB
MD5: f684915b55aa1ae70328522081d81765 SHA-1: 489e07631067cd00c291da39de21a561f89ca9f8 SHA-256: c6abfabb47d4c19c107a025335e755bc1fda3a10ba5a4e1dd8462c636292899a
344 Risk Score

Malware Insights

Win.Trojan.GhostPuppet-6712722-3 · confidence 95%

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File: User Execution: Malicious File T1190 Exploit Public-Facing Application

The sample is identified as Win.Trojan.GhostPuppet-6712722-3. It contains embedded PostScript with 'exec' commands and a CVE-2017-8291 exploit primitive, indicating it's designed to execute arbitrary code. The PostScript decodes hex strings and executes them at runtime, a common exploit-staging pattern.

Heuristics 9

  • Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291
    Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents. The .eqproc operator was found after decoding '<HEX> cvx exec' staging.
  • PostScript exec command critical HWP_PS_EXEC
    PostScript 'exec' operator found — can execute arbitrary code
  • PostScript runtime hex-to-code execution critical HWP_PS_CVX_EXEC
    Found 3 '<HEX> cvx exec' sequence(s) — PostScript decoded from hex strings and executed at runtime; classic exploit-staging pattern.
  • ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • External URL medium HWP_URL
    Found 14 URL(s) in document
    URL http://www.iec.ch
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 4278064 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 29

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.png
0d0614e134c0fb4aea5b9484a93071e0f7826e55e23dc0145e935d42afbcd7a0		 hwp-stream HWP OLE stream: BinData/BIN0001.png 5310 bytes
BinData_BIN0002.bmp
be51ca9774dbb149955568d254235ec182d40bcee1e9bd0ce1e16fd85f71a400		 hwp-stream HWP OLE stream: BinData/BIN0002.bmp 322866 bytes
BinData_BIN0003.jpg
a7d40fce911f187312c1267f31e2d2fcd5fdb78f9a4afd415846024cf51d0ddb		 hwp-stream HWP OLE stream: BinData/BIN0003.jpg 21392 bytes
BinData_BIN0004.png
36de553a13f372b7505bd36eacb94d56ff314fd48ed357cd113ae4dffa08bc0b		 hwp-stream HWP OLE stream: BinData/BIN0004.png 151526 bytes
BinData_BIN0005.png
dab29340d2ef7367660aa34d91e6768177ffeeb712f2eb7459d9b3acf48c8ee2		 hwp-stream HWP OLE stream: BinData/BIN0005.png 113015 bytes
BinData_BIN0006.jpg
b7d05667621dc217cf90553648df10f19c304c27435b57a1b40dedff56094fe3		 hwp-stream HWP OLE stream: BinData/BIN0006.jpg 8252 bytes
BinData_BIN0007.png
bfea78d907364ff5e8f80b730689e170f1ba6e3872d164c1f168205b160d2cd4		 hwp-stream HWP OLE stream: BinData/BIN0007.png 128826 bytes
BinData_BIN0008.bmp
844920f5e907ff090989779e81fccd3640ee8e7acb072e0e10f5c1c7523be727		 hwp-stream HWP OLE stream: BinData/BIN0008.bmp 308502 bytes
BinData_BIN0009.png
9ec3d8d410338301c36d0139ce28e237b2bcf42f3528322761a7986a7e42e53c		 hwp-stream HWP OLE stream: BinData/BIN0009.png 161496 bytes
BinData_BIN000A.png
b7b4d6e7287ccbd912ad480cdfadf8f27a21c694cf3be48af72cb6b9cf14f7d9		 hwp-stream HWP OLE stream: BinData/BIN000A.png 139617 bytes
BinData_BIN000B.png
4ecc6ac6a06933b496789773a22767eb15e56cef0be1b6809d26eaeacd9c357e		 hwp-stream HWP OLE stream: BinData/BIN000B.png 172438 bytes
BinData_BIN000C.png
b0e80c2039c9cc1103165bac980a4e3948206a26e40ed1aced4b2dfc2f0d0c26		 hwp-stream HWP OLE stream: BinData/BIN000C.png 157163 bytes
BinData_BIN000D.png
99e8794b65c02e39327c4079202d7e9985012669bb54a07019d4f68c5ac9fb2c		 hwp-stream HWP OLE stream: BinData/BIN000D.png 157790 bytes
BinData_BIN000E.png
5465a33b2031e135cecb7a4264742d26d667244adea8f5eebb3bed2763776c86		 hwp-stream HWP OLE stream: BinData/BIN000E.png 150351 bytes
BinData_BIN000F.png
00409114299f339aca405a318e6aa49d3fe0fe9bcfb8227606e498181cf537d9		 hwp-stream HWP OLE stream: BinData/BIN000F.png 103977 bytes
BinData_BIN0010.png
0e6a9180ff2153d12955378029501603aef3895a469d548c6adc049794d98a8f		 hwp-stream HWP OLE stream: BinData/BIN0010.png 136597 bytes
BinData_BIN0011.png
725bd37ea158f301082220db4bb2879405ba7c59fd974436d94e945ef48686b4		 hwp-stream HWP OLE stream: BinData/BIN0011.png 105166 bytes
BinData_BIN0012.png
2173c7a1d2f33a0e7a3f8b4f9d545a88d175628f8fce3732519fd45d1f470491		 hwp-stream HWP OLE stream: BinData/BIN0012.png 152974 bytes
BinData_BIN0013.png
889f6b8933fd395e03b2eef01dd7cccb76ea8187b80d7a206c603105914110f1		 hwp-stream HWP OLE stream: BinData/BIN0013.png 150992 bytes
BinData_BIN0014.png
f248a0eebf4141ffdbc442a83ef402f3d47b394b6c5d5a4c036eec35e6d9fdd2		 hwp-stream HWP OLE stream: BinData/BIN0014.png 139722 bytes
BinData_BIN0015.jpg
f7352b8f85b5b699ccd522c61342b0624d84e051fe995ece638b92273915540d		 hwp-stream HWP OLE stream: BinData/BIN0015.jpg 908007 bytes
BinData_BIN0016.png
ddd47fdb3bfd5a3e8ac9561ca172d57afde5f50188778eb4d82f49dba7d786bd		 hwp-stream HWP OLE stream: BinData/BIN0016.png 180907 bytes
BinData_BIN0017.png
c788da84fb77ee8c5432e6eb8d07b47dddf93e8811baf29e7100129510a6578d		 hwp-stream HWP OLE stream: BinData/BIN0017.png 107972 bytes
BinData_BIN0018.png
9795b7ab9373e15e55c7ef0f30a204b35be1054c5864cf48c9357af77223d180		 hwp-stream HWP OLE stream: BinData/BIN0018.png 132392 bytes
BinData_BIN0019.PS
7424b7a3767d19edeff8c4bf00df263bacc76a30c719c359834e371e4aa530a9		 hwp-stream HWP OLE stream: BinData/BIN0019.PS 25538 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
BodyText_Section0
36695924c250c2ce3775221aa520b073ea4328a27891315f5d2becd65faaee94		 hwp-stream HWP OLE stream: BodyText/Section0 686 bytes
BodyText_Section1
d607ddcb7b122af0bd14a87d60af668457d7450d082c1efc424c2c8d49830d34		 hwp-stream HWP OLE stream: BodyText/Section1 100547 bytes
DocInfo
97e3955a0df09152ee0243709cd0abd81202f84274ab035f05acf9c4c4314877		 hwp-stream HWP OLE stream: DocInfo 33899 bytes
Scripts_DefaultJScript
b707241545a346265aab1ffb32ff64b55bf8f8dc1b56a46ef33ce3d15db11d33		 hwp-stream HWP OLE stream: Scripts/DefaultJScript 136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.