Office (OLE) / .RTF malware analysis — malicious · fa657188133aa11c

MALICIOUS

Office (OLE) / .RTF

149.4 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: bea8bb9d7e4a1257b48faf9c7c2d6b46 SHA-1: 0ae66cc265cb37d8e35f76a99541ce7e8a9a197c SHA-256: fa657188133aa11c41fe80db7a93ec393dd5b4a1ae6cd7402419482d452b2071

102 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution

The file is a Microsoft Word document that triggers a critical heuristic for CVE-2006-6456, indicating exploitation of a vulnerability related to malformed table SPRMs. The presence of an OLE ObjectPool disguised as RTF further supports this. Although VBA macros could not be extracted, the critical heuristic strongly suggests the document is designed to exploit this vulnerability upon opening, likely leading to arbitrary code execution.

Heuristics 3

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE ObjectPool in file named RTF high OLE_OBJECTPOOL_CONTAINER_DISGUISED_RTF

File is an OLE compound document named .rtf and contains ObjectPool embedded-object storage, suggesting a disguised Word/OLE container with embedded object attack surface.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.