Office (OLE) / .RTF malware analysis — malicious · 26616808b5046d86

MALICIOUS

Office (OLE) / .RTF

146.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: dd0b01b8644370b6ee861007e08224fb SHA-1: f4277750e05261ef891851c30181350b9b7b7f96 SHA-256: 26616808b5046d86b52f168e2b42f7be33ce98fc217ac89bc64434c4c7cb2e59

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious File T1566.001 Phishing: Spearphishing Attachment

The sample is a Microsoft Word document that exploits the CVE-2006-6456 vulnerability. This vulnerability allows for the execution of arbitrary code when a specially crafted malformed table SPRM is processed. The presence of an OLE ObjectPool disguised as an RTF file further indicates malicious intent. The document body contains heavily obfuscated and unreadable content, suggesting it is not intended for direct user interaction but rather to trigger the exploit.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE ObjectPool in file named RTF high OLE_OBJECTPOOL_CONTAINER_DISGUISED_RTF

File is an OLE compound document named .rtf and contains ObjectPool embedded-object storage, suggesting a disguised Word/OLE container with embedded object attack surface.

Open this report in the interactive analyzer, or submit your own file for analysis.