Office (OLE) / .DOC malware analysis — malicious · 3240ca288008d732

MALICIOUS

Office (OLE) / .DOC

279.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 373c32017dad49e53452e6b276f2ba2f SHA-1: d75bbf892c49d8aa30356477cb4eb439f45ce1b4 SHA-256: 3240ca288008d7327524d203607f29bb560791d0ad047e53cbd76e0c9e493425

364 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is a malicious Microsoft Word document exploiting CVE-2006-6456, a malformed table vulnerability. It contains an embedded PE executable, indicating it functions as a dropper. The presence of NOP sleds, PEB access, and CreateProcess API calls further suggest malicious execution. Although VBA macros could not be extracted, the embedded executable is the primary payload delivery mechanism.

Heuristics 10

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Dropper.Agent-53302 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Agent-53302
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 285,696 bytes but its declared streams total only 94,695 bytes — 191,001 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://en.wikipedia.org/wiki/Constitution_of_the_People%27s_Republic_of_China
- http://en.wikipedia.org/wiki/Freedom_of_speech
- http://en.wikipedia.org/wiki/Freedom_of_the_press
- http://en.wikipedia.org/wiki/Right_to_a_fair_trial
- http://en.wikipedia.org/wiki/Freedom_of_religion
- http://en.wikipedia.org/wiki/Universal_suffrage
- http://en.wikipedia.org/wiki/Property
- http://en.wikipedia.org/wiki/Reporters_Without_Borders
- http://en.wikipedia.org/wiki/He_Qinglian
- http://en.wikipedia.org/wiki/Internet
- http://en.wikipedia.org/wiki/Capital_punishment

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00037e00.exe` `7aa3154454e84cb6b4c44f94c790e9817251b39e7ab3debea12ec4370f5b5a42`	embedded-pe	Office MZ+PE at offset 0x37E00	56832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.