Office (OLE) malware analysis — malicious · 4c7b3fe16fe06325

MALICIOUS

Office (OLE)

167.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: e029d63964cb2386ed5803f69951098a SHA-1: bb23ad9a3faba46f15a7f9452c53c4f7e9b541f0 SHA-256: 4c7b3fe16fe06325150aae5317aae025a42a6b0975ae5e8b22898b25f2cd7611

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious due to a critical heuristic firing for CVE-2006-6456, indicating exploitation of a Microsoft Word malformed table SPRM vulnerability. This vulnerability allows for arbitrary code execution when the document is opened. The OLE slack anomaly further suggests potential obfuscation or malicious padding within the file structure.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 171,780 bytes but its declared streams total only 94,801 bytes — 76,979 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.