Office (OLE) / .WRI malware analysis — malicious · 21dbb5b6a7e2facb

MALICIOUS

Office (OLE) / .WRI

179.4 KB Created: 2008-10-09 03:10:00 Authoring application: Microsoft Word 9.0

MD5: a056b3e2c51502ca79c9e0f7af00af5f SHA-1: ea90f8b94a226fbc28f3ba700150c79d74df1129 SHA-256: 21dbb5b6a7e2facbb38f4a9e0790507f2aa8eb2d9a4cda644903be740a5cfff0

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File

The sample exhibits multiple heuristic firings indicative of a malicious Office document, including NOP sleds and XOR-encoded strings. The OLE slack anomaly suggests the presence of hidden or obfuscated content. While no specific exploit is identified, the combination of NOP sleds and encoding points towards an attempt to execute arbitrary code, likely for payload delivery. No document body text was available for further analysis.

Heuristics 4

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'KERNEL32.DLL', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualProtect'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 183,675 bytes but its declared streams total only 79,383 bytes — 104,292 bytes (57%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.