Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 fc255c127af95df0…

MALICIOUS

Office (OLE) / .DOC

274.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: bb2ffe72224148e2fe857cb76200f4a9 SHA-1: fade7e5517d4a707c2593fff1da39f1a9860fd18 SHA-256: fc255c127af95df0a68d67c7f026a0891ac5e785ad15b4d26b5defaa90872b2d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1204 User Execution

The sample is a malicious Microsoft Word document exploiting CVE-2006-6456, a vulnerability related to malformed tables. Although VBA macros could not be extracted due to format issues, the presence of numerous embedded URLs suggests a phishing or credential harvesting attempt. The document body contains heavily corrupted text, preventing a clear understanding of its lure, but the exploit and URLs indicate a high likelihood of payload delivery.

Heuristics 4

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 281,088 bytes but its declared streams total only 94,801 bytes — 186,287 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.khabdha.org/?p=3232
    • http://www.khabdha.org/?p=4619
    • http://www.khabdha.org/?p=4619#more-4619
    • http://www.tibettimes.net/news.php?cat=14&&id=1849
    • http://woeser.middle-way.net/
    • http://www.khabdha.org/?p=3484
    • http://www.phayul.com/news/article.aspx?id=27066
    • http://www.shambalapost.com/international-news/988-2009-08-07-06-32-27
    • http://www.highpeakspureearth.com/2009/04/remembering-honourable-gangnyi-la.html
    • http://www.internationalpen.org.uk/index.cfm?objectid=264A6A72-3048-676E-26881BFF062C1C43
    • http://www.highpeakspureearth.com/2009/01/to-go-sherab-gyatso-la-by-jamyang-kyi.html
    • http://www.tibetcm.com/
    • http://www.tibetcm.com
    • http://www.phayul.com/news/article.aspx?id=25985
    • http://www.highpeakspureearth.com/2010/04/earthquake-in-tibet-leading-tibetan.html
    • http://www.highpeakspureearth.com/2008/11/they-by-jamyang-kyi.html
    • http://www.savetibet.org/media-center/ict-news-reports/gold-fears-no-fire-new-writing-tibet
    • http://www.highpeakspureearth.com/2010/03/torture-without-trace-five-songs-by.html
    • http://www.leavingfearbehind.com/node/17
    • http://www.ifex.org/china/tibet/2009/03/19/security_officials_re_arrest_tibetan/
    • http://www.phayul.com/news/article.aspx?id=27072

Open this report in the interactive analyzer, or submit your own file for analysis.