Malicious Email / .MSG — malware analysis report

Heuristics 5

• CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
  Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
• CVE-2023-23397 — UNC path in Outlook reminder property high CVE related CVE_2023_23397
  Outlook .msg file contains a UNC path (\\server\share) — this is related to the CVE-2023-23397 attack surface, but the exact ReminderFileParameter stream was not confirmed by property-aware parsing.
• Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
  A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
• OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
  OLE file is 75,264 bytes but its declared streams total only 24,565 bytes — 50,699 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
• Limited .msg parsing info EMAIL_MSG_LIMITED
  The .msg format requires the 'extract-msg' library for full analysis. Install it with: pip install extract-msg. Basic text scanning was performed.

Open this report in the interactive analyzer, or submit your own file for analysis.