MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample exhibits high-confidence heuristics indicating the use of WinExec, CreateProcess, and ShellExecute APIs, strongly suggesting an attempt to execute arbitrary code. The presence of XOR-encoded strings and a large slack space anomaly further supports malicious intent. The extracted path 'c:\winmsio.exe' is likely the dropped payload or a component of the execution chain.
Heuristics 5
-
XOR-encoded strings (key 0xCE) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xCE: 'CreateProcessA', 'CreateFileA�', 'OpenProcess�', 'RegOpenKeyExA', 'ShellExecuteA'
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 103,724 bytes but its declared streams total only 16,486 bytes — 87,238 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.