Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a49f7f3122c5646…

MALICIOUS

Office (OLE)

154.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2019-09-30
MD5: c8876ff14dd99a9fa465462fe4f9b883 SHA-1: e42caa806d175f87e3b8b093687db6f55c8f95df SHA-256: 4a49f7f3122c5646dd0d679b44024f511475589efa350507b20e90444a056861
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified as malicious due to a critical heuristic firing for CVE-2009-3129, an Excel FEATHEADER record overflow vulnerability. This indicates the file is designed to exploit this specific flaw to achieve code execution. References to LoadLibrary and GetProcAddress APIs further support the likelihood of arbitrary code execution.

Heuristics 3

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API