Office (OLE) / .XLS malware analysis — malicious · 64a117d46e7717c7

MALICIOUS

Office (OLE) / .XLS

48.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 1893c8621c7432f09b577ff5e8831155 SHA-1: 16d0a9e1a2d06c0e07197ccbb3552edc23078c5f SHA-256: 64a117d46e7717c7e1a2715324264ff671f0d7623984958c97268c459f0c04f1

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is a Microsoft Excel spreadsheet that triggers a critical heuristic for CVE-2009-3129, indicating an exploitation of a record overflow vulnerability. This vulnerability allows for arbitrary code execution on the victim's machine. No document body or scripts were extracted, limiting further analysis of the payload.

Heuristics 2

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 49,664 bytes but its declared streams total only 24,565 bytes — 25,099 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.