Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b825cbe5391b3da7…

MALICIOUS

Office (OLE) / .DOC

167.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: df00211182c4eb821c98f003f40685b5 SHA-1: 457a7d00069869ba3a369d82a1b57637019dbb0e SHA-256: b825cbe5391b3da7d75686f8354381eff9e09595214a22d4b3f878103a034c0e
260 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1204.002 Malicious File Execution: Malicious File T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is a Microsoft Word document that exploits CVE-2006-6456, a vulnerability related to malformed table SPRMs. This exploit is used to execute an embedded Portable Executable (PE) file. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls within the document's code suggests the embedded executable is likely a loader or dropper designed to perform further malicious actions, such as downloading and executing additional payloads.

Heuristics 6

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 171,780 bytes but its declared streams total only 94,801 bytes — 76,979 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c600.exe
80fc3910cfa179fe452e0a29915967da466505fe62c732d3cbf0386e5a0d63b8		 embedded-pe Office MZ+PE at offset 0x1C600 55556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.