Office (OLE) / .XLS malware analysis — malicious · 17abf73ac62b2594

MALICIOUS

Office (OLE) / .XLS

68.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: a390202fb3ac55de4bda4950163e7d13 SHA-1: c7e5b5d6b83cbfa0784aac16e002847c4a6dba3a SHA-256: 17abf73ac62b259430241b164c66baf3d6fee5136af73aaa13daafb9c5240c1f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2009-3129 indicates that this Excel file exploits a record overflow vulnerability to achieve code execution. References to LoadLibrary and GetProcAddress APIs further support the likelihood of arbitrary code execution. The large slack space in the OLE structure is also a common characteristic of malicious OLE files.

Heuristics 4

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 69,632 bytes but its declared streams total only 24,565 bytes — 45,067 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.