{
	"id": "60f90222-6610-4e54-82d5-df19b0144ee8",
	"created_at": "2026-04-06T00:09:19.532084Z",
	"updated_at": "2026-04-10T03:20:05.891069Z",
	"deleted_at": null,
	"sha1_hash": "7798b2f41352f3e810ae52a6c48b8f5ba8a81021",
	"title": "Korean MalDoc Drops Evil New Years Presents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 482425,
	"plain_text": "Korean MalDoc Drops Evil New Years Presents\r\nBy Paul Rascagneres\r\nPublished: 2017-02-23 · Archived: 2026-04-05 16:53:07 UTC\r\nThursday, February 23, 2017 10:00\r\nThis blog was authored by Warren Mercer and Paul Rascagneres.\r\nThe malicious document in question is written in Korean with the following title:\r\n5170101-17년_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis\r\n.hwp)\r\nThis document was alleged to be written by the Korean Ministry of Unification and included their logo as a footer\r\non the document.\r\nAn interesting twist also came within the analysed malicious document as it attempts to download a file from an\r\nofficial Korean government website: kgls.or.kr (Korean Government Legal Service). The file downloaded is a\r\nbinary masquerading as a jpeg file that is later executed as part of the infection. It's likely that the website was\r\ncompromised by the attackers to try and legitimise the HTTP GET attempts for the final payload, this traffic\r\nwould potentially not have looked unfamiliar for any system administrators.\r\nThe attackers' infrastructure appeared to be up for a few days at a time with no observed infrastructure re-use\r\noccurring. Unfortunately, the compromised sites were all either cleaned or removed by the attackers and Talos\r\nwere unable to obtain the final payload. This level of operational security is common for sophisticated attackers.\r\nDue to these elements it's likely that this loader has been designed by a well-funded group in order to target public\r\nsector entities in South Korea. Many of these techniques fit the profile of campaigns previously associated with\r\nattacks by certain government groups.\r\nInfection Vector: Hangul Word Processor\r\nThe infection vector identified by Talos is a HWP file. This is a fairly unusual\r\nchoice as this software is rarely used outside of Korea, but it is known to be widely\r\nused within Korea, including use by the South Korean government. As a regional\r\nfile format, many security devices are not equipped to process HWP files. This can\r\nallow an attacker a vector with a much lower risk of detection by any security\r\nscanning devices.\r\nHere is a screenshot of the opened document:\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 1 of 8\n\nThe title of the document is \"Analysis of \"Northern New Year\" in 2017\". The logo at the bottom of the document\r\nin the logo of the Ministry Of Unification. This ministry is working towards the reunification of North \u0026 South\r\nKorea. The document describes information linked to the North Korean celebration of New Year.\r\nAt the end of the document are 2 links to additional documents. The malicious document mentions that users\r\nshould double click in order to access to these documents, Document1 is identified as \"Comparison of Major\r\nTasks in '16 \u0026 '17\" and the Document2 linked is identified as \"Comparison between '16 \u0026 '17\"\r\nThe links point to 2 OLE objects embedded in the document (BIN0003.OLE and BIN004.OLE):\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 2 of 8\n\nOnce decompressed (zlib), we identified two PE32 files embedded within the 2 OLE files. If the targeted user\r\ndouble clicks on one of the links, a PE32 file is dropped and executed.\r\nThe 2 dropped binaries will be found and executed in this location during our analysis:\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Hwp (2).exe\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Hwp (3).exe We can identify a JavaScript object in the\r\ndocument. This one does not contain malicious content, it's an object included by default.\r\nHere is the execution of the HWP file in Cisco AMP Thread Grid:\r\nDropped files\r\nThe compilation path of the binaries was not removed which allows us to\r\ndetermine the working space and environment used for this attack.\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 3 of 8\n\ne:\\Happy\\Work\\Source\\version 12\\T+M\\Result\\DocPrint.pdb\r\nThe two dropped malware files have a different hash but their purpose is the same:\r\nOpen a HWP document (to respond to the double click in the previous document)\r\nDownload a payload from a compromised host/C2.\r\nThe opened document is embedded in the PE (in a resource named 'DOC'):\r\nLike the previous document, this one speaks of the relation between North Korea and South Korea, and is\r\nseemingly written by a native Korean speaker due to the specific language used.\r\nThe second stage of the binary executes wscript.exe and injects shellcode into the process. The shellcode is\r\nembedded in a resource called 'BIN'. The purpose of this shellcode is to unpack a second PE32 in the legitimate\r\nwscript.exe process and execute it. The injection is perform by the classic:\r\nVirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() APIs.\r\nThe unpacked binary is used to collect information on the infected system, and to attempt to communicate with\r\nthe C2 in order to download the final payload. The information collected was:\r\nThe computer name\r\nThe username\r\nThe execution path of the sample\r\nThe BIOS model by analysing the\r\nHKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData registry key. This information\r\nallows the attackers to identify Virtual Machine (on VirtualBox the model is \"innotek GmbH VirtualBox\")\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 4 of 8\n\nAn ID randomly generated to identify the system\r\nThis information could be used as a reconnaissance phase to determine if there was a suitable platform to\r\ndeliver the final payload and to avoid sending the final payload to sandbox systems.\r\nThe analysed sample performed network connections to these 2 URLs in this order:\r\nwww.kgls.or.kr/news2/news_dir/index.php (where the collected information is sent)\r\nwww.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg\r\nThe beginning of the jpg document (02BC6B26) is the ID previously generated. We think that the jpg file\r\nis automatically generated by the index.php file if the collected data is relevant. The content of the jpg file\r\nis saved in a file called 'officepatch.exe'. Finally, this new file is executed and the unpacked executable\r\nterminates itself.\r\nThe website kgls.or.kr is the web site of the Korean Government Legal Service. Talos can only assume that this\r\nwebsite was compromised in order to deliver the final stage malware, the jpg file. All the infrastructure was down\r\nduring our analysis, which meant we were unable to analyse the payload directly.\r\nThe collected binaries are compiled between 22:43:05 UTC and 4:55:18 UTC (the 3 files at 22:00:00 are the\r\nbinaries dropped by the HWP document and the other files are the unpacked payload) - Time Stamp artifacts can\r\nbe easily faked and can be deployed as a false flag mechanism to make the researcher believe the compiled code\r\ncame from a certain Time Zone - this should not be trusted as an indicator of where the attack or attacker\r\noriginated from.\r\nCommand \u0026 Control infrastructure\r\nDuring our investigation we were able to identify additional Command and\r\nControl infrastructure used by this actor. The four C2s were based in the following\r\ncountries:\r\n3 C2 in South Korea\r\n1 C2 in the Netherlands Here is a global map of the identified infrastructure:\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 5 of 8\n\nColour Key:\r\nRed: the '_put.jpg' binary (final payload)\r\nOrange: C2 infrastructure used by the attackers\r\nYellow: the unpacked samples that perform the connection to download the final malware (the green\r\nbubbles share 90% of similar codes)\r\nGreen: the dropped executable by the HWP document (the orange bubbles share 90% of similar codes)\r\nBlue: the HWP document\r\nConclusion\r\nThis actor appears to have made intentional decisions to limit the attack surface by\r\nusing Hangul. This allowed them to evade some security devices as this format is\r\nnot frequently processed.\r\nThe infection process was a MalDoc with multiple droppers (identical in their execution) and then C2\r\ncommunication to obtain the final payload. The use of decoy documents is very common and shows that the\r\nattacker wanted to use a social engineering / enticement aspect to encourage the users to open the file.\r\nThis campaign has clearly targeted at a specific group of users, this rings true with the use of such specific file\r\nformats. Steps were clearly taken to limit the ability of security products to detect the threat as well as adherence\r\nto a strict timeline to prevent the malicious files from being discovered. The attackers were careful to remove their\r\nmalicious payloads and not re-use their infrastructure.\r\nWe believe this is a targeted attack aimed at South Korean users in the public sector conducted by a sophisticated\r\nthreat actor with access to native Korean speakers. Attacks on these individuals may be an attempt to gain a\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 6 of 8\n\nfoothold into assets which can be deemed extremely valuable.\r\nIOC HWP File:\r\n5170101-17년_북한_신년사_분석.hwp:\r\n281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919\r\nDropped files:\r\n95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a\r\n7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1\r\n6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f\r\n19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b\r\n3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409\r\n7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8\r\nUnpack related samples:\r\n7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f\r\n21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe\r\n761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7\r\n3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8\r\n930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00\r\n4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4\r\nf080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08\r\nNetwork:\r\nwww.imuz.com/admin/data/bbs/review2/board/index.php\r\nwww.imuz.com/admin/data/bbs/review2/board/123.php\r\nwww.imuz.com/admin/data/bbs/review2/board/02BC6B26_put.jpg (where 02BC6B26 is randomly generated)\r\nwww.wildrush.co.kr/bbs/data/image/work/webproxy.php\r\nwww.wildrush.co.kr/bbs/data/image/work/02BC6B26_put.jpg (where 02BC6B26 is randomly generated)\r\nwww.belasting-telefoon.nl//images/banners/temp/index.php\r\nwww.belasting-telefoon.nl//images/banners/temp/02BC6B26_put.jpg (where 02BC6B26 is randomly generated)\r\nwww.kgls.or.kr/news2/news_dir/index.php\r\nwww.kgls.or.kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is randomly generated)\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 7 of 8\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS orWSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection ofIPS andNGFW have up-to-date signatures to detect malicious network activity\r\nby threat actors.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella prevents DNS resolution of the domains associated with malicious activity.\r\nSource: http://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nhttp://blog.talosintelligence.com/2017/02/korean-maldoc.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.talosintelligence.com/2017/02/korean-maldoc.html"
	],
	"report_names": [
		"korean-maldoc.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434159,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7798b2f41352f3e810ae52a6c48b8f5ba8a81021.pdf",
		"text": "https://archive.orkl.eu/7798b2f41352f3e810ae52a6c48b8f5ba8a81021.txt",
		"img": "https://archive.orkl.eu/7798b2f41352f3e810ae52a6c48b8f5ba8a81021.jpg"
	}
}