Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 75d194f36b445836…

MALICIOUS

Office (OLE)

199.2 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: e212b0cbe45259c166a125f473ce90a9 SHA-1: 2da82e3ecd3b5182c72caacd0fd8b7752a4343c6 SHA-256: 75d194f36b445836705a03ee580614dced635ca5c3d56beaaf15d314ccc2a47e
184 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that contains a malformed table structure, triggering CVE-2006-6456, which is known to lead to arbitrary code execution. The document also contains numerous embedded URLs, some of which are associated with Tibetan advocacy groups, suggesting a potential lure. No scripts were extracted from this sample, and the document body consists of unreadable characters, preventing a more specific analysis of the lure.

Heuristics 7

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 203,988 bytes but its declared streams total only 94,801 bytes — 109,187 bytes (54%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tibetnetwork.org/hhdl75birthdayaction
    • http://www.dalailama75.org
    • http://org2.democracyinaction.org/o/5380/p/dia/action/public/?action_KEY=3434.\par
    • http://ihearttibet.org/i-love-the-dalai-lama
    • http://org2.democracyinaction.org/o/5380/p/dia/action/public/?action_KEY=3440
    • http://www.highpeakspureearth.com/2010/03/torture-without-trace-five-songs-by.html\par
    • http://ihearttibet.org/birthdaymessages.\par
    • http://www.tibetnetwork.org/resources-losar2137
    • http://org2.democracyinaction.org/o/5380/p/dia/action/public/?action_KEY=3434
    • http://www.highpeakspureearth.com/2010/03/torture-without-trace-five-songs-by.html
    • http://ihearttibet.org/birthdaymessages
    • http://vimeo.com/12641516
    • http://www.youtube.com/watch?v=9Tt_L2EeG_Q\par
    • http://vimeo.com/12579487
    • http://www.youtube.com/watch?v=DoPXhzGGpJQ\par
    • http://vimeo.com/12667464
    • http://www.youtube.com/watch?v=5HSxJOg7Ypg\par
    • http://vimeo.com/12644191
    • http://www.youtube.com/watch?v=CykzuUjwBdo\par
    • http://vimeo.com/12669706
    • http://www.youtube.com/watch?v=l4BILBwsRY8\par
    • http://vimeo.com/12645147
    • http://www.youtube.com/watch?v=xfuLpfUDm3U\par
    • http://vimeo.com/12672639
    • http://www.youtube.com/watch?v=KzbXtJPXGD4\par
    • http://www.youtube.com/watch?v=9Tt_L2EeG_Q
    • http://www.youtube.com/watch?v=DoPXhzGGpJQ
    • http://www.youtube.com/watch?v=5HSxJOg7Ypg
    • http://www.youtube.com/watch?v=CykzuUjwBdo
    • http://www.youtube.com/watch?v=l4BILBwsRY8
    • http://www.youtube.com/watch?v=xfuLpfUDm3U
    • http://www.youtube.com/watch?v=KzbXtJPXGD4

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00027bfd.bin
95d53caa26f19dc16305d1cb835f60dd0ef2f3ec32d550b9dfe8e193a2489802		 rtf-objdata-decoded RTF \objdata at offset 0x27BFD 19771 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.