Win.Dropper.Agent-62260 — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 c1d6496db162a935…

MALICIOUS

Office (OLE) / .DOC

170.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 2b9738463ed545f2a7a75ccbba83602a SHA-1: 5123abcd8146f38bbe129640f6a5491d09683180 SHA-256: c1d6496db162a935c0d751a1db85ecf138355649f5ad0cdba65676e3ac014519
404 Risk Score

Malware Insights

Win.Dropper.Agent-62260 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1204.001 Malicious Link T1059.005 Visual Basic

This OLE document exploits CVE-2006-6456, a vulnerability in Microsoft Word's handling of malformed tables. The document contains raw shellcode and an embedded PE executable, indicating it functions as a dropper. The ClamAV detection name 'Win.Dropper.Agent-62260' further supports this assessment. The document body is heavily obfuscated and does not provide direct clues to the lure.

Heuristics 10

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Dropper.Agent-62260 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Agent-62260
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 174,592 bytes but its declared streams total only 94,695 bytes — 79,897 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001d000.exe
6f968ed45c1829eb493ed55fb58e67737b0102c7f2a149ce75f423f3c3194288		 embedded-pe Office MZ+PE at offset 0x1D000 55808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.