Malware Disguised as HWP Document File (Kimsuky)

AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware.

The identified malware is distributed as a compressed file which contains a readme.txt along with an executable disguised with an HWP document file extension.

Figure 1. Inside the compressed file

The readme.txt file contains the following message which prompts users to open the malicious EXE file (Personal Data Leakage Details.hwp.exe). The malicious EXE file was compiled with .NET and uses the HWP document icon to disguise itself to appear like a document file. Multiple spaces were also inserted into the file name to prevent the file extension from being fully visible.

Figure 2. readme.txt file and executable

The above EXE file contains a PowerShell command encoded in Base64. Thus, when the file is executed, this command is decoded and saved as update.vbs in the %APPDATA% folder. The generated update.vbs file is then executed through PowerShell.

Figure 3. Code within the executable

The following message box is then generated, rendering it difficult for users to realize that malicious behaviors are being performed. The message contains North Korean dialect as shown in Figure 4 below.

Figure 4. Created message box

The created update.vbs file contains obfuscated commands. Decoding this reveals a code that downloads and executes an additional script from hxxp://[.]kr/adm/inc/js/list.php?query=1.

Figure 5. Contents of update.vbs

Both the script present in the above URL and the subsequent scripts executed perform functions such as user credential leakage and keylogging, which are consistent with the findings in the <Analysis Report on Malware Distributed by the Kimsuky Group>. The identified URL and features of the created file are as follows.

URL and FilenameFeature
update.vbs– Changes a certain registry
– Runs the script hxxp://[.]kr/adm/inc/js/list.php?query=1
hxxp://[.]kr/adm/inc/js/list.php?query=1– Changes a certain registry
– Creates OfficeAppManifest_v[Min]_[Hr]_[Day][Month].xml and registers it as a service
– Runs the script hxxp://[.]kr/adm/inc/js/lib.php?idx=1
OfficeAppManifest_v[Min]_[Hr]_[Day][Month].xml– Runs the script hxxp://[.]kr/adm/inc/js/list.php?query=6
hxxp://[.]kr/adm/inc/js/list.php?query=6– Runs the script hxxp://[.]kr/adm/inc/js/lib.php?idx=5
hxxp://[.]kr/adm/inc/js/lib.php?idx=5– Keylogger
– Transmits keylogging data to hxxp://[.]kr/adm/inc/js/show.php
hxxp://[.]kr/adm/inc/js/lib.php?idx=1– Collects user PC information
– Transmits the collected information to hxxp://[.]kr/adm/inc/js/show.php
Table 1. Features of the scripts found on a certain URL and the generated files

The information collected at this stage also matches those of the aforementioned report.

Figure 6. List of exfiltrated information confirmed in the <Analysis Report on Malware Distributed by the Kimsuky Group>

Given the continuous detection of this malware type being distributed, users are advised to exercise extra caution. Users should always verify the file extension when opening email attachments and refrain from executing files received from unknown sources.

[File Detection]

Dropper/Win.Agent.C5441936 (2023.06.16.02)
Trojan/VBS.Kimsuky (2023.03.21.03)
Trojan/PowerShell.Obfuscated (2023.03.14.00)
Trojan/PowerShell.KeyLogger (2023.05.09.00)


8133c5f663f89b01b30a052749b5a988 (exe)
91029801f6f3a415392ccfee8226be67 (script)
73174c9d586531153a5793d050a394a8 (script)
f05991652398406655a6a5eebe3e5f3a (script)
ec1b518541228072eb75463ce15c7bce (script)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

4 3 votes
Article Rating
Notify of

Inline Feedbacks
View all comments