Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 746296610f214efd…

MALICIOUS

Office (OLE) / .XLS

157.3 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: ad75a69faee82007ec1b2073f086e84d SHA-1: 93693bfe95c69ad626616d53f20b02d943dfcf64 SHA-256: 746296610f214efd4ee5e85a6da8d24376e2f943708218592d9d631c7914a035
300 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is a malicious Microsoft Excel spreadsheet that exploits CVE-2009-3129, a record overflow vulnerability. This vulnerability allows for arbitrary code execution, likely to download and run a secondary payload. The presence of API calls like CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress further supports the execution of malicious code.

Heuristics 7

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • XOR-encoded strings (key 0xDC) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xDC: 'iphlpapi.dll', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress'
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 161,075 bytes but its declared streams total only 24,565 bytes — 136,510 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.