Office (OLE) / .XLS malware analysis — malicious · 0e0c95f6496b564c

MALICIOUS

Office (OLE) / .XLS

152.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 06a04e7b8f0d680af8dbe6f904e957e1 SHA-1: 6504b0cac07fcb1cbf6ab45f29d05fe994ca52c7 SHA-256: 0e0c95f6496b564c96763300221792d2e2b6593bb7dd0d832daefce1408c8228

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Excel file exhibiting a critical heuristic for CVE-2009-3129, an Excel FEATHEADER record overflow vulnerability. This indicates the file is designed to exploit this specific flaw for arbitrary code execution. References to LoadLibrary and GetProcAddress APIs further support the likelihood of malicious code execution.

Heuristics 4

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,671 bytes but its declared streams total only 24,565 bytes — 131,106 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.