Office (OLE) / .XLS malware analysis — malicious · 76da4c257e190a34

MALICIOUS

Office (OLE) / .XLS

57.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 2a938435c30f7ccba9825d9b2be0b2e0 SHA-1: 9c9f49a09c2060a40e60dda12884a049f1cdcaf7 SHA-256: 76da4c257e190a346e6aaab1acb0ae3c1eed4b4d51a93b4c508a8bb1d9b99248

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is a malicious Microsoft Excel document identified as exploiting CVE-2009-3129. This vulnerability allows for arbitrary code execution when the file is opened. No document body or scripts were extracted, but the critical heuristic firing strongly indicates a vulnerability exploit.

Heuristics 2

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 58,432 bytes but its declared streams total only 24,565 bytes — 33,867 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.