Malicious HWP Document Disguised as Reunification Education Support Application
Contents
Malicious HWP Document Disguised as Reunification Education Support Application
On March 5, AhnLab SEcurity intelligence Center (ASEC) found a post recruiting students for a unification-related course, which included a link to download a malicious HWP document.
At the time of analysis, there were download links for JPG, HWP, and DOC files at the bottom of the post. The HWP file among them was identified as a malicious file disguised as an application form.
Figure 1. Download link at the bottom of the post
The downloaded HWP document contains various files, including a normal HWP document and a malicious BAT file. When the HWP document is opened, these files are created in the TEMP folder.
|
File Name |
Description |
| hwp_doc.db | Normal Document |
| app.db (0304.exe, 0304_1.exe) |
Normal Executable (EXE) |
| mnfst.db (0304.exe.manifest) |
Configuration File with Malicious Commands |
| mnfst_1.db (0304_1.exe.manifest) |
Configuration File with Malicious Commands |
| sch_0304.db | Malicious XML file with a task defined …
On March 5, AhnLab SEcurity intelligence Center (ASEC) found a post recruiting students for a unification-related course, which included a link to download a malicious HWP document.
At the time of analysis, there were download links for JPG, HWP, and DOC files at the bottom of the post. The HWP file among them was identified as a malicious file disguised as an application form.
Figure 1. Download link at the bottom of the post
The downloaded HWP document contains various files, including a normal HWP document and a malicious BAT file. When the HWP document is opened, these files are created in the TEMP folder.
|
File Name |
Description |
| hwp_doc.db | Normal Document |
| app.db (0304.exe, 0304_1.exe) |
Normal Executable (EXE) |
| mnfst.db (0304.exe.manifest) |
Configuration File with Malicious Commands |
| mnfst_1.db (0304_1.exe.manifest) |
Configuration File with Malicious Commands |
| sch_0304.db | Malicious XML file with a task defined …