MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an Excel spreadsheet exhibiting a large amount of slack space and triggering critical heuristics for CVE-2009-3129 (Excel FEATHEADER record overflow) and the presence of an embedded Adobe Flash (SWF) file. The embedded URL 'http://saty-home.com/' is also present. These indicators suggest the file is designed to exploit a vulnerability to download and execute a secondary payload.
Heuristics 4
-
CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
-
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWFDocument contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 296,535 bytes but its declared streams total only 24,565 bytes — 271,970 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://saty-home.com/
Open this report in the interactive analyzer, or submit your own file for analysis.