Office (OLE) / .DOC malware analysis — malicious · 71918d86246310be

MALICIOUS

Office (OLE) / .DOC

141.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 19436feb5dcb4b0fce4ebe95dadee258 SHA-1: 2d9ad996fdffd222ec0d54b20ae5a280d186c76a SHA-256: 71918d86246310bedcee326709a740cffab2d89a442608ea9e8a1b74b62b4d00

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2006-6456, a vulnerability related to malformed table SPRMs. This exploit allows for arbitrary code execution, likely to download and run a secondary payload. The presence of VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress API calls further supports the execution of shellcode or injected code.

Heuristics 5

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.