Office (OLE) / .DOC malware analysis — malicious · 658651f4a5bcff54

MALICIOUS

Office (OLE) / .DOC

159.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 5b55f49ce633ddd58fa927f01e5b5aaa SHA-1: b40ebfe0c2c38c789e80e9f4006ba0d850c3d7b8 SHA-256: 658651f4a5bcff54d204992ef01fee1aca2d8e1f2182b222da77c7a9107ee788

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that triggers CVE-2006-6456, a critical vulnerability related to malformed table SPRM data. This vulnerability allows for arbitrary code execution when the document is opened. The large slack space anomaly further suggests potential obfuscation or malicious padding within the OLE structure.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 162,816 bytes but its declared streams total only 94,801 bytes — 68,015 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.