Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 e498630abe9a9148…

MALICIOUS

Hangul (OLE)

151.0 KB First seen: 2018-09-04
MD5: 06cfc6cda57fb5b67ee3eb0400dd5b97 SHA-1: 08b2da1bdd99538e873684b4e43faccd77db39bd SHA-256: e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431
346 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample contains embedded PostScript code that utilizes the 'exec' operator and a CVE-2017-8291 exploit primitive to execute arbitrary code. This pattern is indicative of a malicious document designed to exploit a vulnerability in Ghostscript, likely to download and execute a second-stage payload. The presence of JavaScript in the embedded artifacts further supports the execution of malicious code.

Heuristics 10

  • Ghostscript SAFER bypass in HWP/EPS critical CVE exact CVE_2017_8291
    Detected Ghostscript CVE-2017-8291 exploit primitive: .eqproc. This matches the -dSAFER bypass/type-confusion family used by malicious EPS payloads embedded in HWP documents. The .eqproc operator was found after decoding '<HEX> cvx exec' staging.
  • ClamAV: Win.Trojan.GhostPuppet-6712722-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GhostPuppet-6712722-3
  • PostScript exec command critical HWP_PS_EXEC
    PostScript 'exec' operator found — can execute arbitrary code
  • PostScript runtime hex-to-code execution critical HWP_PS_CVX_EXEC
    Found 3 '<HEX> cvx exec' sequence(s) — PostScript decoded from hex strings and executed at runtime; classic exploit-staging pattern.
  • Embedded PostScript / EPS high HWP_POSTSCRIPT
    HWP contains embedded PostScript/EPS — a common exploit surface in targeted HWP campaigns
  • PostScript file operation high HWP_PS_FILE
    PostScript file operation found (file/run/deletefile)
  • External URL medium HWP_URL
    Found 13 URL(s) in document
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 186301 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ HWP document reference
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/iX/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.jpg hwp-stream HWP OLE stream: BinData/BIN0001.jpg 117227 bytes
SHA-256: e15fa97d75e2109aa1d51ce8c7daccec976d1f989d61f2805936ca067a17dbf5
BinData_BIN0002.GIF hwp-stream HWP OLE stream: BinData/BIN0002.GIF 2472 bytes
SHA-256: c290d93052641fc37216b2b321d83b6106059d66e982b6fb7c17f566d652320e
BinData_BIN0003.PS hwp-stream HWP OLE stream: BinData/BIN0003.PS 25538 bytes
SHA-256: fae339962972070a67e9a565171ffa50c4a6ecad788464dca73e14ac9b39e62b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 686 bytes
SHA-256: a95d3c9fa27834bf778c543f1c627e300fd3edf34fab733bdaf74b77dbc6b809
BodyText_Section1 hwp-stream HWP OLE stream: BodyText/Section1 34841 bytes
SHA-256: b7dff815506ebec3a6784bcf4ad63d86fc026485532dffc96f729878c12d95d2
DocInfo hwp-stream HWP OLE stream: DocInfo 5257 bytes
SHA-256: 0264d18cc544f0b37cfc13e340ae0234637dbd40e5d3ba7ba0b973e0b01291da
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4

Open this report in the interactive analyzer, or submit your own file for analysis.