Malicious Microsoft Write / .WRI — malware analysis report

Static analysis result for SHA-256 01669898adfebbf7…

MALICIOUS

Microsoft Write / .WRI

258.5 KB Created: 2008-10-09 03:10:00 Authoring application: Microsoft Word 9.0
MD5: 28bc3b46bbcaf8a8ef331c1474851d1d SHA-1: 4303af81cf8eb02ae814c5a40904feae7cfaadb5 SHA-256: 01669898adfebbf74f9be37d60e70b54931913c09bfa91aa24030940d17215b2
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information T1204.001 Malicious Link T1140 Deobfuscate/Decode Files or Information

The file is an OLE-wrapped Microsoft Write document containing suspicious findings such as raw shellcode and PEB access, suggesting an exploit attempt. The presence of XOR-encoded strings and NOP sleds further indicates malicious intent, likely to execute a payload. The embedded OLE object exhibits anomalies and a raw shellcode payload, reinforcing the malicious nature.

Heuristics 8

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'msvcrt.dll', 'msvcrt.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA'
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 264,704 bytes but its declared streams total only 79,383 bytes — 185,321 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
  • OLE-wrapped Microsoft Write document (Write for Windows 95) info WRI_OLE_WRAPPED
    File is a Write-for-Windows-95 document — an OLE compound document carrying Write streams. Embedded objects (Equation Editor, OLE Package) inside this container exercise the same exploit surface as classic Office documents.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00000000.ole
01669898adfebbf74f9be37d60e70b54931913c09bfa91aa24030940d17215b2		 embedded-office Embedded OLE/CFB Office body inside wri container at offset 0x0 264704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.