Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bc07803e084d176c…

MALICIOUS

Office (OLE) / .XLS

102.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: ba2a691669cfd7e7bdee7f691a71bc61 SHA-1: 02e1d13a17ffa1f153758d6325aab166b6b338c6 SHA-256: bc07803e084d176c53ada4f98feed6a78bf7406e99251e2b4ecd7278f06d68b7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is an Excel spreadsheet that contains a large amount of slack space, indicating potential obfuscation or embedded malicious content. A critical heuristic firing identified the CVE-2009-3129 vulnerability, which is an Excel FEATHEADER record overflow. This suggests the file is designed to exploit this specific flaw to achieve arbitrary code execution. Several unknown reputation URLs were extracted, which may be related to the exploit or subsequent payload delivery.

Heuristics 3

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 104,510 bytes but its declared streams total only 24,565 bytes — 79,945 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com
    • http://www.pdf-repair.com)/Producer(Advanced
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.