Hangul (OLE) malware analysis — malicious · d0d1e3cb3e845b1e

MALICIOUS

Hangul (OLE)

669.0 KB First seen: 2020-09-15

MD5: 83baea757b743e9bf89df3f38bcac40e SHA-1: 59a30074c8229feda427bba9bc16945a50ca4a71 SHA-256: d0d1e3cb3e845b1e39395a817b660eed7c500cbf38d5fe7dd3b20b48c1cb7b9f

184 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1059.007 JavaScript T1059.007 JavaScript T1059.007 JavaScript

The HWP document contains embedded PostScript with an 'exec' operator, indicating an attempt to execute arbitrary code. Additionally, PostScript file operations were detected, suggesting the malware may manipulate files on the victim's system. JavaScript was also detected within the document, which could be used for further exploitation or payload delivery.

Heuristics 6

PostScript exec command critical HWP_PS_EXEC

PostScript 'exec' operator found — can execute arbitrary code
Embedded PostScript / EPS high HWP_POSTSCRIPT

HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
PostScript file operation high HWP_PS_FILE

PostScript file operation found (file/run/deletefile)
JavaScript detected high HWP_JAVASCRIPT

HWP document contains JavaScript references
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED

Inflated 783047 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`BinData_BIN0001.bmp`	hwp-stream	HWP OLE stream: BinData/BIN0001.bmp	691254 bytes
SHA-256: `2058cab27e2a1cddddf138870103e7734a97d521ae65ceaf601a7062946537a2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.89, consistent with packed or encrypted content.
`BinData_BIN0002.ps`	hwp-stream	HWP OLE stream: BinData/BIN0002.ps	80587 bytes
SHA-256: `cf920f6741fb3884dab42866fe6fa12fe7a70ac9cb6c6dda509dd25dd2b5cf9e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`BinData_BIN0003.jpg`	hwp-stream	HWP OLE stream: BinData/BIN0003.jpg	1454 bytes
SHA-256: `285fbeb4c9902a4f7798b00b30b6c2adda68bea025e0edc96b06e57d721fac8a`
`BodyText_Section0`	hwp-stream	HWP OLE stream: BodyText/Section0	7583 bytes
SHA-256: `676e0b767af506b4736cf17bb2b8cdca29c8d8f71fcc49aab1960a4d54d6a6b4`
`DocInfo`	hwp-stream	HWP OLE stream: DocInfo	1911 bytes
SHA-256: `4ff365fc8274e184149a260f8bd97ec67c198519c323413cd685607a590db701`
`Scripts_DefaultJScript`	hwp-stream	HWP OLE stream: Scripts/DefaultJScript	250 bytes
SHA-256: `8e2665d6d7214b320260614968be09d11db6f52ac48bd131d6ab9fd9bcda7f13`

Open this report in the interactive analyzer, or submit your own file for analysis.