Office (OLE) / .WRI malware analysis — malicious · 22099aaa8a250d26

MALICIOUS

Office (OLE) / .WRI

190.4 KB Created: 2008-12-29 14:33:00 Authoring application: Microsoft Office Word

MD5: d110aa3ff93537115ddeae7ec5147422 SHA-1: 76e82a937b920f46b5c1c9ec1f11e93713f6c718 SHA-256: 22099aaa8a250d2612a67a42022a139014fb3be00c82be30ebee5b4c7fcd5c5f

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample exhibits several high-severity heuristic firings including a NOP sled, PEB access, and an API hash resolver, all indicative of shellcode execution. The presence of XOR-encoded strings with a key of 0x94 further suggests obfuscation to hide malicious payloads. The large slack space in the OLE document is also anomalous. While no specific family is identified, these indicators point towards a downloader or dropper attempting to execute arbitrary code.

Heuristics 6

XOR-encoded strings (key 0x94) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x94: 'shell32.dll'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 194,936 bytes but its declared streams total only 47,238 bytes — 147,698 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.