Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 01f6095621f30dac…

MALICIOUS

Office (OLE) / .DOC

216.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 3239d9bfe70c6fcad083656a315fe882 SHA-1: 81ce255841f0b38ec19f5a1d336c279ed49fc6fb SHA-256: 01f6095621f30dac1555e50612be6a9dc62eb4b6cbb58d0f7b793a827c80b12b
300 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document exhibiting critical heuristics for an embedded executable payload (OLE_EMBEDDED_EXE) and exploitation of CVE-2006-6456. The presence of VirtualAlloc and LoadLibrary API references, along with a large slack space and appended payload, strongly indicates that the document is designed to drop and execute a secondary malicious file. The embedded executable is the primary IOC.

Heuristics 7

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 221,444 bytes but its declared streams total only 94,801 bytes — 126,643 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c800.exe
a89bff6b7db2a8f151c537bfdc56744f31da15af1c939f21552e1581ec447017		 embedded-pe Office MZ+PE at offset 0x1C800 104708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.