Office (OLE) malware analysis — malicious · fd1c8d2ef7985796

MALICIOUS

Office (OLE)

153.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 5c616d527fa8eab3053b30d63314d460 SHA-1: ea08045304ce8fd49087ab1bd41057a8c73c3b21 SHA-256: fd1c8d2ef7985796a569c33c29a5d68527f153a6cdb9215a273e8178dc7ee018

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The file is identified as malicious due to the critical heuristic firing for CVE-2009-3129, indicating an exploit within the Excel FEATHEADER record. Additionally, an OLE slack anomaly suggests the presence of hidden or unexpected data within the document structure. These indicators point to a malicious Excel file designed to exploit this vulnerability.

Heuristics 2

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=22, isf=4, cbHdrData=4). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 156,673 bytes but its declared streams total only 24,565 bytes — 132,108 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.