Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b1521afe183a487e…

MALICIOUS

Office (OLE) / .DOC

172.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: bd388edad18aec68d525ea80b776b820 SHA-1: 14cc2b685bf390ad1736c339c2100ff121695435 SHA-256: b1521afe183a487e37bafebc80eceacc11a992de2ceb3ebc30301a9520273962
446 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is a Microsoft Word document that exploits CVE-2006-6456, a vulnerability related to malformed table SPRMs. It contains an embedded PE executable, identified as Win.Spyware.38063-2 by ClamAV. The presence of shellcode-like resolvers and API calls such as VirtualProtect, LoadLibrary, and GetProcAddress indicate the embedded executable is designed to load and execute further malicious code. The document body content is nonsensical and does not provide further clues.

Heuristics 12

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Spyware.38063-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Spyware.38063-2
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 176,640 bytes but its declared streams total only 94,695 bytes — 81,945 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001d400.exe
3a8fe986b04449201782bface6c70ccdf9d24cc99f976a4d8c3861415c131bfb		 embedded-pe Office MZ+PE at offset 0x1D400 56832 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.