Office (OLE) / .TMP malware analysis — malicious · 8802c771b26e8903

MALICIOUS

Office (OLE) / .TMP

912.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: fbdb99f34988c88d82ecfc7665ce8633 SHA-1: 1ff987bc8a7cf58a35f8fbd1cf7e794401e324de SHA-256: 8802c771b26e8903a4ee63ba38692ea1b7a8cea15cf48681cd38367ee038b8e6

180 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 PowerShell

The sample is a Microsoft Word document that exploits CVE-2006-6456, a vulnerability related to malformed table SPRMs. The presence of a heap-spray pattern and a reference to the ShellExecute API indicate that the document is designed to execute arbitrary code. The large slack space anomaly further suggests malicious content is hidden within the file structure. No specific malware family could be identified.

Heuristics 4

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x0C bytes found
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 933,888 bytes but its declared streams total only 94,801 bytes — 839,087 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.