" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued..
To download samples, read full report etc follow Mila's blog::: http://contagiodump.blogspot.com/2009/12/attack-of-day-exploitmswordagentik.html