MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The Hangul Word Processor document contains embedded JavaScript and external URLs, indicating an attempt to download and execute a secondary payload. The heuristic firings for HWP_JAVASCRIPT and HWP_URL, along with the presence of two suspicious URLs, strongly suggest this malicious intent. The OLE_SLACK_ANOMALY heuristic also points to potential obfuscation or malicious content within the document structure.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 39,204 bytes but its declared streams total only 15,331 bytes — 23,873 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
JavaScript detected high HWP_JAVASCRIPTHWP document contains JavaScript references
-
External URL medium HWP_URLFound 4 URL(s) in document
-
Decompressed OLE-wrapped HWP streams info HWP_COMPRESSEDInflated 26562 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ro521.com/test.htm HWP document reference
- http://j5b.kr/bin/h.jsIn document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
BodyText_Section0 |
hwp-stream | HWP OLE stream: BodyText/Section0 | 24136 bytes |
SHA-256: 1368cbd0e257eeb6cd732b4e5b92bf8599ad2a62ed18568f65f4a246f750fc69 |
|||
DocInfo |
hwp-stream | HWP OLE stream: DocInfo | 2398 bytes |
SHA-256: 580ae46d6f101606ff5ff123bc977227812616e032f10712f7f4a9c4643490ad |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.