Office (OLE) / .XLS malware analysis — malicious · 1e1fed2992c1f024

MALICIOUS

Office (OLE) / .XLS

107.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 9a74b1c5c3b8debe7d44c77a175a126e SHA-1: 7148ce412622daca5e106788ec767f855306db33 SHA-256: 1e1fed2992c1f024d3bebfbeae173c919f8669467fd3f280c15c0dcccf5a1299

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution

The file is an Excel spreadsheet exhibiting a large amount of slack space, indicative of potential obfuscation or embedded malicious content. It specifically triggers a critical heuristic for CVE-2009-3129, a known vulnerability in Microsoft Excel related to FEATHEADER record overflow. This suggests the file is designed to exploit this vulnerability upon opening, likely leading to arbitrary code execution.

Heuristics 2

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,575 bytes but its declared streams total only 24,565 bytes — 85,010 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.