Office (OLE) / .DOC malware analysis — malicious · 0c11976092a0df31

MALICIOUS

Office (OLE) / .DOC

267.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 1c9942e8b7fb437fe41bb7e0df5ba8c7 SHA-1: a803230d9e6b91331f7a38a291c5f5266b2758b3 SHA-256: 0c11976092a0df317eb1a8ec793c6c04cfbc757e83ad3a0cddf9e7b1a36dd4aa

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that triggers a critical heuristic for CVE-2006-6456, indicating exploitation of a malformed table SPRM vulnerability. This vulnerability allows for arbitrary code execution within the context of Microsoft Word. No document body or script content was available for further analysis.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 273,920 bytes but its declared streams total only 94,801 bytes — 179,119 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.