Office (OLE) / .DOC malware analysis — malicious · 769c229e1296eb0a

MALICIOUS

Office (OLE) / .DOC

392.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: daab916bae1e049134e175514968ded3 SHA-1: 6b5451f47ea2db5c3e9232c1e164267f46af5c6f SHA-256: 769c229e1296eb0a6f66974b78f554566e4de9b0632f39e67af36588a451cdfc

200 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic firing for CVE-2006-6456 indicates that this Microsoft Word document exploits a known vulnerability. The presence of CreateProcess and ShellExecute API references suggests that the exploit is likely used to launch a secondary payload. The large slack space in the OLE structure is also a common characteristic of weaponized documents.

Heuristics 5

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 402,262 bytes but its declared streams total only 94,801 bytes — 307,461 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x43 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.