Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 dd9b7cb231778368…

MALICIOUS

Hangul (OLE)

38.3 KB First seen: 2020-09-04
MD5: 9576a3b163a1b5d9957e24c191bf189b SHA-1: 58190431e1be51c3c200624286dcc97fc06884ff SHA-256: dd9b7cb231778368446e176d90fc851329bf55b56463ce8bcefad629521a8524
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The Hangul Word Processor document contains embedded JavaScript and external URLs, indicating an attempt to download and execute a secondary payload. The heuristic firings for HWP_JAVASCRIPT and HWP_URL, along with the presence of two suspicious URLs, strongly suggest this malicious intent. The OLE_SLACK_ANOMALY heuristic also points to potential obfuscation or malicious content within the document structure.

Heuristics 5

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 39,204 bytes but its declared streams total only 15,331 bytes — 23,873 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • JavaScript detected high HWP_JAVASCRIPT
    HWP document contains JavaScript references
  • External URL medium HWP_URL
    Found 4 URL(s) in document
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 26562 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ro521.com/test.htm HWP document reference
    • http://j5b.kr/bin/h.jsIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 24136 bytes
SHA-256: 1368cbd0e257eeb6cd732b4e5b92bf8599ad2a62ed18568f65f4a246f750fc69
DocInfo hwp-stream HWP OLE stream: DocInfo 2398 bytes
SHA-256: 580ae46d6f101606ff5ff123bc977227812616e032f10712f7f4a9c4643490ad