Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0e66fda8144d4183…

MALICIOUS

Office (OLE) / .DOC

148.0 KB
MD5: 1ce0a1389d7741b2b9a32dc4bd3b0e0e SHA-1: 66cb419bed66c1215b42ef6c57d49504ecf1b61f SHA-256: 0e66fda8144d4183a71aac250739e995820806c2dbaa0e57a073db95290ec0e7
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample exploits CVE-2006-6456, a vulnerability in Microsoft Word's handling of malformed tables, to achieve code execution. A suspicious invocation of cmd.exe was also detected, suggesting the exploitation leads to command execution, likely to download and run a secondary payload.

Heuristics 3

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag

Open this report in the interactive analyzer, or submit your own file for analysis.