Office (OLE) / .XLS malware analysis — malicious · 6db353593f8b9403

MALICIOUS

Office (OLE) / .XLS

66.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 3e4920fd2e2c3bbf3dc66fa5327fccd4 SHA-1: 519b03b8c4d3b6c3380ecdf0664c11a58b81299f SHA-256: 6db353593f8b94039fcd96f66a95dbcbc89e37858cf5c24293f7257f3e8d3f8f

200 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2009-3129 indicates that this Excel file is designed to exploit a specific vulnerability in Microsoft Excel. The presence of VirtualProtect, LoadLibrary, and GetProcAddress API references further suggests that the exploit is likely used to load and execute arbitrary code, potentially a second-stage payload.

Heuristics 5

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 67,607 bytes but its declared streams total only 24,565 bytes — 43,042 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.