Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 a698e972d9c7a155…

MALICIOUS

Office (OLE) / .DOC

134.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: cadc19b35e517c64841e7dab9082a65a SHA-1: 8320387b72d0d8d437b251fef07a2e8c26e57990 SHA-256: a698e972d9c7a155e16c73f4a5a36e709a716e2a7180d1dc0a84f7f16788de26
464 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer T1055 Process Injection

The sample is a malicious Microsoft Word document exploiting CVE-2006-6456, a vulnerability related to malformed table SPRM data. It contains an embedded PE executable, indicating it's designed to drop and run a secondary payload. The heuristics suggest the use of API hashing and process manipulation techniques, common in malware delivery. Although VBA macros could not be extracted, the presence of the embedded executable and the exploit vulnerability strongly indicate a malicious dropper.

Heuristics 11

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Small-9280 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Small-9280
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00019ea0.exe
bac9d59a3c3d3f5984af91f6c9cd7bb21c63aafe21e800f1408f541c145084ed		 embedded-pe Office MZ+PE at offset 0x19EA0 31844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.