The ASEC analysis team has discovered a malicious HWP file that hasn’t been distributed for some time. The HWP file that was last posted in April was inserted with a malicious link object inside, and it is the first time this year that a file inserted with malicious EPS was found. The file is also uploaded in VirusTotal, and judging by the fact that the filename is ‘test.hwp’ and ‘123.hwp,’ it is possible that the file was created for testing.
It must be noted that the same malicious RTF and internal shellcode from the recent blog post of ‘RTF Malware Disguised as a Cover Letter for a Particular Airline were used. The malicious URL that it attempted to connect to via this shellcode is the same one that the malicious HWP file used in 2019 as stated in the previous blog post.