Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4569483769f99152…

MALICIOUS

Office (OLE) / .XLS

25.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: a34297501c82b40a7868cd237a727ed0 SHA-1: d43c4364a6f02c83b8180a7abd3314f325ecf889 SHA-256: 4569483769f99152abbc8989e2760b23631d42123b3d19199f4d800233ac036e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious Excel file that exploits CVE-2009-3129, a known vulnerability in Microsoft Excel related to the FEATHEADER record overflow. This exploit allows for arbitrary code execution. No document body or scripts were extracted, but the critical heuristic firing strongly indicates exploitation of this specific vulnerability.

Heuristics 1

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.

Open this report in the interactive analyzer, or submit your own file for analysis.