Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18da80e1fd263c57…

MALICIOUS

Office (OLE)

141.6 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 6796a99be0995af996fffedd0d351d98 SHA-1: fce64e0e8852fdfc6bb66a89d4fef680799b10c3 SHA-256: 18da80e1fd263c57689485e12a2bcc2ca9973ddbb0cd379b2ccd7b5ccaebf71f
262 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical CVE_2009_3129 heuristic indicates that this Excel file exploits a known vulnerability to achieve code execution. High-severity heuristics for OLE_SLACK_ANOMALY and OLE_APPENDED_PAYLOAD suggest that an executable payload is appended to the OLE structure. References to VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress further support the execution of injected code, likely a downloader. The presence of unknown URLs suggests potential C2 communication or payload retrieval.

Heuristics 8

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 145,008 bytes but its declared streams total only 24,565 bytes — 120,443 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://www.microsoft.com0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.microsoft.com/pki/crl/products/WinPCA.crl0:�8�6�4http://www.microsoft.com/pki/crl/products/WinPCA.crl0R
    • http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0��

Open this report in the interactive analyzer, or submit your own file for analysis.