Office (OLE) malware analysis — malicious · 6b19163783bfa297

MALICIOUS

Office (OLE)

788.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 20f91873a0899e90fc652c9b410e835f SHA-1: 1c07fb3f10d973cf309ed5d04f0bdea8ce9d021a SHA-256: 6b19163783bfa29769a8c495318db813f99d917e834fecc31825bbc5cacd8391

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2006-6456 indicates that this Microsoft Word document is malformed to exploit a known vulnerability. The presence of ShellExecute API reference further suggests that the exploit aims to execute arbitrary code. The large slack space in the OLE structure is also indicative of malicious packing or obfuscation techniques.

Heuristics 3

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 806,912 bytes but its declared streams total only 94,801 bytes — 712,111 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.