Office (OLE) / .XLS malware analysis — malicious · e03f630df4a3d8cd

MALICIOUS

Office (OLE) / .XLS

25.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 3533fdc6d7a1a9986e40c496aab73b36 SHA-1: bcfb84bef67493835930559aa375fb5945c5e593 SHA-256: e03f630df4a3d8cd868e640dcdad5cfb1b31bd7aa589c4560c9766342d52b8c1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution T1059 Command and Scripting Interpreter T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is a malicious Microsoft Excel file that exploits the CVE-2009-3129 vulnerability. This vulnerability allows for arbitrary code execution when the file is opened. The heuristic firings indicate a PEB access and a suspicious invocation of cmd.exe, suggesting the exploit likely leads to command execution.

Heuristics 3

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag

Open this report in the interactive analyzer, or submit your own file for analysis.