Malicious Hangul (OLE) — malware analysis report

Static analysis result for SHA-256 e5f191531bc1c674…

MALICIOUS

Hangul (OLE)

248.0 KB First seen: 2018-06-21
MD5: ff9eff561fd793ddb9011cf7006d5f6c SHA-1: bd71832af30d337d9a1dea0eeeba0e07e2535d44 SHA-256: e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Dropper.NavRat-6582538-0. Static analysis indicates it's an OLE-wrapped HWP document containing embedded scripts and artifacts. The presence of a dropper signature suggests its primary function is to download and execute a secondary payload, likely exploiting the common 'Spearphishing Attachment' initial access vector.

Heuristics 3

  • ClamAV: Win.Dropper.NavRat-6582538-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.NavRat-6582538-0
  • Decompressed OLE-wrapped HWP streams info HWP_COMPRESSED
    Inflated 294030 bytes from BinData / Scripts / BodyText / DocInfo streams of the OLE-wrapped HWP for content analysis
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
BinData_BIN0001.jpg hwp-stream HWP OLE stream: BinData/BIN0001.jpg 220275 bytes
SHA-256: 356733b8a95b9d9c2941b40333a00c9ffecce303fc414ca7b776cf15255dcad3
BinData_BIN0002.eps hwp-stream HWP OLE stream: BinData/BIN0002.eps 22937 bytes
SHA-256: 9802bc6879a114f71529c5b59b2f7610176eba2ea077e46f09ff75a2a296549e
Detection
ClamAV: Win.Dropper.NavRat-6582538-0
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
BodyText_Section0 hwp-stream HWP OLE stream: BodyText/Section0 40743 bytes
SHA-256: d5bd721489fffc402921c8cae49d65151c0b8301f301d71119e343230e2017c3
DocInfo hwp-stream HWP OLE stream: DocInfo 9795 bytes
SHA-256: 0ab6491c0ebfa88469209b94947433fc44af305c082a289c4808c082df047071
Scripts_DefaultJScript hwp-stream HWP OLE stream: Scripts/DefaultJScript 272 bytes
SHA-256: e1f35ff38336598f79448c84b41bcb508d53a552808454a76ee12691cb2c97e4

Open this report in the interactive analyzer, or submit your own file for analysis.