Office (OLE) / .WRI malware analysis — malicious · 1f84998a9ceb0bee

MALICIOUS

Office (OLE) / .WRI

154.0 KB Created: 2008-10-09 03:10:00 Authoring application: Microsoft Word 9.0

MD5: 32ce11400cc1ba489fdb0420b2c67b8c SHA-1: 9175e140939ddf92529a31a919bce4089bd5ea44 SHA-256: 1f84998a9ceb0beee07ea75eebd08763184f331e6ee5edd76c40b43d661e6b4b

200 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information T1055 Process Injection

The sample exhibits multiple high-severity heuristic firings, including NOP sleds, PEB access, and XOR-encoded strings, indicating a malicious payload. The large slack space in the OLE structure is also anomalous. While the document body appears to be a legitimate agreement, the underlying heuristics strongly suggest an attempt to exploit vulnerabilities and execute obfuscated code.

Heuristics 5

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 157,696 bytes but its declared streams total only 79,383 bytes — 78,313 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.