Office (OLE) / .XLS malware analysis — malicious · 2cfafdc2b37a337c

MALICIOUS

Office (OLE) / .XLS

25.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: d9fce6a8e82728e7afa2144a0e64e940 SHA-1: 7dd70de34ea93a370f6b8eaefa983d5f69df6cc4 SHA-256: 2cfafdc2b37a337c06fe880499920e944362f0a3955f1509979e370f7a47290e

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious Attachment T1059.003 Command and Scripting Interpreter: Windows Command Shell

The critical heuristic firing indicates exploitation of CVE-2009-3129, a known vulnerability in Microsoft Excel. The suspicious cmd.exe invocation suggests that the exploit is used to execute arbitrary commands. No document body or scripts were extracted, but the exploit itself is sufficient to classify the attack pattern.

Heuristics 3

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag

Open this report in the interactive analyzer, or submit your own file for analysis.