Office (OLE) malware analysis — malicious · be6f5b363c727987

MALICIOUS

Office (OLE)

61.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 68b5b75378295d7ac7242968bd8f4137 SHA-1: 77c9dc4f0bafdbb46799498d43cb21bb146ceb8d SHA-256: be6f5b363c72798776059c46e47f10383875292de19778833101a3aa32329e1d

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution

The critical heuristic firing for CVE-2009-3129 indicates that this Excel file is designed to exploit a buffer overflow vulnerability. The OLE slack anomaly further suggests that the file has been tampered with to hide malicious content. Without a document body or scripts, the exact payload and delivery mechanism are unclear, but the exploit itself is the primary attack vector.

Heuristics 2

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 62,982 bytes but its declared streams total only 24,565 bytes — 38,417 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.