Office (OLE) / .RTF malware analysis — malicious · 6e1fc0c4085cafef

MALICIOUS

Office (OLE) / .RTF

154.9 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: c7d2ecd9d71547406a2da1984a6ff83c SHA-1: 53dd7f9747168a5750f0a1555d4158ff5b5e5910 SHA-256: 6e1fc0c4085cafef3bf4678e2dfd83d97f23d150de24e79a0313b3feda0ca1b9

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that contains a critical heuristic indicating exploitation of CVE-2006-6456. This vulnerability allows for arbitrary code execution, which is the primary attack vector observed. The large slack space in the OLE structure is also indicative of malicious packing or obfuscation.

Heuristics 3

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 158,640 bytes but its declared streams total only 94,801 bytes — 63,839 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.vmware.com/support

Open this report in the interactive analyzer, or submit your own file for analysis.