MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1204.002 Malicious File: User Execution
T1059 Command and Scripting Interpreter
T1059.001 Command and Scripting Interpreter: PowerShell
The sample is a Microsoft Word document that exploits CVE-2006-6456, a critical vulnerability related to malformed table SPRMs. The presence of a 'wc.exe' string suggests the potential execution of a Windows command, likely as part of the exploit chain. The XOR-encoded strings and the large slack space are indicative of obfuscation techniques commonly used by malware.
Heuristics 6
-
CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
-
XOR-encoded strings (key 0xC4) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xC4: 'msvcrt.dll�', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA'
-
ClamAV: Win.Exploit.MSWord-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.MSWord-7
-
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EBX)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 227,138 bytes but its declared streams total only 94,801 bytes — 132,337 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
x86 push-string-call medium SC_PUSH_STRINGShellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
Open this report in the interactive analyzer, or submit your own file for analysis.