Office (OLE) malware analysis — malicious · e815f420100a6ff1

MALICIOUS

Office (OLE)

128.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: b4471acd3527de9b2c732ffa7c5fb1f9 SHA-1: 50a80752e10d79c4936255b630850fbb4ae632ef SHA-256: e815f420100a6ff1848e092a38af288d151bb5bde023ec45eda4abd590514231

102 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 Command and Scripting Interpreter: PowerShell

The sample is a Microsoft Word document that leverages CVE-2006-6456, a vulnerability related to malformed table structures. This indicates an attempt to exploit a known weakness in older Word versions to achieve code execution. No VBA macros were extractable, but the CreateProcess heuristic suggests the document attempts to launch an external process. The document body contains heavily corrupted text, providing no contextual clues about the lure.

Heuristics 3

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.