The Sample is from http://contagiodump.blogspot.com/ Thanks Mila =)
All Files and recreated exploit code are uploaded at http://www.mediafire.com/download.php?t1ks9dexkxaku87 for analysis...
Exploit added at :::
This file exploits the vulnerability CVE-2006-2389.The Document size is 292864 bytes. There is an executable and real doc file embedded in this file.
Upon executing this file an executable is dropped which is embedded at offset 0x18200. This executable is XOR’ed with 32 bit key 0x58E5F269 and also the first 512 bytes are flipped using 16 bit byte flip operation. The size of this exe is 90112 bytes.
Additionally This dropped executable also drops an exe named “NAVPInst.exe” of size 28672 bytes
From offset 0x2e200 an genuine DOC file is embedded. Its size is 103936 bytes. The first 4 bytes of doc file which are 0xD0CF11E0 are replaced by 0xCFD0E011.
The shellcode starts from offset 0x16738 and 0x16a08 which writes the executable and the genuine doc file to the disc and executes it.