MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The HWP document contains JavaScript, indicated by the HWP_JAVASCRIPT heuristic. This script likely acts as a downloader, fetching a second-stage payload from the embedded URL http://j5b.kr/bin/h.js. The presence of external URLs suggests a malicious intent to retrieve and execute further malicious content, characteristic of a spearphishing attachment.
Heuristics 4
-
JavaScript detected high HWP_JAVASCRIPTHWP document contains JavaScript references
-
External URL medium HWP_URLFound 3 URL(s) in document
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 40496 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ro521.com/test.htm HWP document reference
- http://j5b.kr/bin/h.jsIn document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 34382 bytes |
SHA-256: 11aee06f03bc92179023a0eb7bfc3152d2b9c229d2af0f03c1c089198b521779 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 5834 bytes |
SHA-256: ccee6c7aa62c258ca78395384c67252cb51466cb5bd76b0fcb9025a94c7cfd6a |
|||
Scripts_DefaultJScript |
hwp-stream | HWP OLE stream: Scripts/DefaultJScript | 272 bytes |
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.