Office (OLE) / .DOC malware analysis — malicious · e9bf9051c20bbd52

MALICIOUS

Office (OLE) / .DOC

220.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: d56638d4fe29715cef9a82c44786f083 SHA-1: b6964cdb9fc8edacd7b334d1e8bb5509bbc5fe9e SHA-256: e9bf9051c20bbd527d5d306657ae0660c5c5219da77885d89138dec2d265ff8f

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that triggers a critical heuristic for CVE-2006-6456, indicating it exploits a malformed table structure within the document to achieve code execution. The large slack space detected also suggests potential obfuscation or embedded malicious content. No scripts were extracted, and the document body is unreadable, but the CVE exploit is sufficient to classify the attack pattern.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 225,792 bytes but its declared streams total only 94,801 bytes — 130,991 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.