MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is an Excel spreadsheet exhibiting multiple high-severity heuristics, including an OLE slack anomaly, an appended executable payload, and a critical finding for CVE-2009-3129. The reference to LoadLibrary API suggests the exploitation leads to the execution of additional code. The appended payload and the nature of the CVE exploit indicate the file is designed to download and execute a secondary stage. The specific exploit and appended payload strongly suggest a malicious intent, but without further context or script analysis, the exact family remains unknown.
Heuristics 4
-
CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 169,984 bytes but its declared streams total only 24,565 bytes — 145,419 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Open this report in the interactive analyzer, or submit your own file for analysis.