Office (OLE) / .XLS malware analysis — malicious · 81ae46b064fba4e5

MALICIOUS

Office (OLE) / .XLS

62.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 242737c48643dde46d34de0a7ed22bc2 SHA-1: c207320c24d2c9aa11f70581553a9ccaa0426505 SHA-256: 81ae46b064fba4e5b0303e9bb576ce0fb18f5f3b1a3e9f4bd844c4f79ceddaa4

300 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an Excel file containing both VBA and XLM macros. The presence of `Workbook_Open` and `Auto_Open` macros, along with heuristics indicating a reference to `ShellExecute` and `URLDownloadToFile` APIs, suggests the document is designed to automatically execute malicious code upon opening. The `SE_ENABLE_LURE` heuristic confirms that the document instructs the user to enable macros, a common social engineering tactic. The embedded URL `https://kawaguchikimiaindonesia.com/crun20.gif` is likely used to download a secondary payload. The CVE-2009-3129 heuristic indicates a potential exploit related to Excel FEATHEADER record overflow.

Heuristics 9

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4280361471). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://kawaguchikimiaindonesia.com/crun20.gif�
- https://kawaguchikimiaindonesia.com/crun20.gif

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `d4222e1ad83b892546402a65bce1342319760d5f0e17d0c73ae5f07e792beb86`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	9447 bytes
`macros.bas` `c29faf2da8b6b84c63880f8f3ff09f138acdaa94ad9406cab75b546ae0e54428`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.