Office (OLE) / .DOC malware analysis — malicious · f9a58eb4f4bb6f24

MALICIOUS

Office (OLE) / .DOC

200.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: e5230a3b731233946388f361c0228b49 SHA-1: b66dc82cf45b224af9d2b633812fe08e82aebf9e SHA-256: f9a58eb4f4bb6f247f5897144bd7c890d57ce9f90e67c5223abb2855031aaf61

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that triggers a critical heuristic for CVE-2006-6456, indicating it exploits a malformed table structure within the document to achieve code execution. The large slack space anomaly further suggests the presence of embedded malicious content. No document body or script content was available for further analysis, but the CVE exploit is sufficient to classify the attack pattern.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 204,800 bytes but its declared streams total only 94,801 bytes — 109,999 bytes (54%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.