Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d8e59133db4ccd38…

MALICIOUS

Office (OLE) / .XLS

119.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 2f5f7daba282d9e1973f04d4e3e8740a SHA-1: ba14c5c1fc2c4f28c73dbcebc69132d53174aab8 SHA-256: d8e59133db4ccd3833f38ece1a038cabf0f99dbc7cf9056834fd691f8d1430a4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is an Excel file exhibiting a critical heuristic for CVE-2009-3129, indicating exploitation of a known Excel vulnerability. The large slack space anomaly further suggests manipulation of the file structure for malicious purposes. While no scripts were extracted, the embedded URLs, though mostly benign, include references to 'pdf-repair.com' which could be a lure for a malicious download. The attack pattern is likely a document-based exploit targeting Excel users.

Heuristics 3

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 121,918 bytes but its declared streams total only 24,565 bytes — 97,353 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com
    • http://www.pdf-repair.com)/Producer(Advanced
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.