Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c5f569b8c386f7ff…

MALICIOUS

Office (OLE) / .DOC

181.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 1150dfa65319755518b2f07c304e101a SHA-1: f41b0f9d7735f745cfe4c12725b7c9b65c523e2f SHA-256: c5f569b8c386f7ff43fce68b5587d415ae4375cfc11cfe4c5f63cd18dda7ebf2
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1204.002 Malicious File Execution: User Execution: Malicious File T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The file is a Microsoft Word document exhibiting significant anomalies, including a large slack region and an appended executable payload. Crucially, it triggers the CVE-2006-6456 heuristic, indicating exploitation of a malformed table vulnerability. No VBA macros were extractable, but the combination of OLE anomalies and the specific CVE firing strongly suggests an exploit designed to execute arbitrary code upon opening.

Heuristics 4

  • CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456
    WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 185,344 bytes but its declared streams total only 94,801 bytes — 90,543 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.