Office (OLE) / .DOC malware analysis — malicious · 17dfc3b8d3c907a1

MALICIOUS

Office (OLE) / .DOC

213.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 0b90d8355461e7c6abd9958f8d53ceb2 SHA-1: cee1e910fdc817433d61cf65cfdfeb79953fc8bb SHA-256: 17dfc3b8d3c907a131d6674e0943711b8b883053e7579014be67ee26b03c095f

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2006-6456, a known vulnerability in how Word handles malformed table SPRM data. This vulnerability allows for arbitrary code execution. The document body contains heavily obfuscated and unreadable content, suggesting it is not intended for user interaction but rather to trigger the exploit.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 218,624 bytes but its declared streams total only 94,801 bytes — 123,823 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.