MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The sample is a malicious OLE document containing a macro that references the CreateProcess API, indicating an attempt to execute external code. The document body is heavily obfuscated and unreadable, providing no direct clues about its intent. The presence of the CreateProcess API call strongly suggests the macro is designed to download and execute a second-stage payload.
Heuristics 4
-
CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 179,200 bytes but its declared streams total only 94,801 bytes — 84,399 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Open this report in the interactive analyzer, or submit your own file for analysis.