Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 bf51983e7a12c30c…

MALICIOUS

Office (OLE) / .DOC

176.7 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: ce7cf933806c482feed7c3903f5b7ad9 SHA-1: 484b85132203a57aa63c63d2f1a23324d9abe240 SHA-256: bf51983e7a12c30c7b96e1bd92b2b7dcad83e3a260ec963bc61a5860787d6968
342 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.005 Command and Scripting Interpreter: Visual Basic

The sample is a Microsoft Word document that exploits CVE-2006-6456, a vulnerability related to malformed tables. Heuristics indicate the presence of code designed to resolve API functions like LoadLibrary and GetProcAddress, suggesting the execution of a secondary payload. The document body contains heavily obfuscated and unreadable content, further supporting the malicious intent. No VBA macros were extractable, but the core exploit mechanism is clear.

Heuristics 9

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 180,964 bytes but its declared streams total only 94,801 bytes — 86,163 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.