MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample exhibits high-confidence heuristics for WinExec, CreateProcess, and ShellExecute API calls, indicating an attempt to execute external code. The presence of XOR-encoded strings and a large slack space anomaly suggests obfuscation and potential payload concealment. The extracted path 'c:\winmsio.exe' is likely the dropped or executed payload, pointing to a downloader or dropper attack pattern.
Heuristics 5
-
XOR-encoded strings (key 0xCE) critical SC_XOR_ENCODEDFound 7 Windows library/API name(s) XOR-encoded with single-byte key 0xCE: 'CreateProcessA', 'CreateFileA�', 'CreateFileA�', 'OpenProcess�', 'RegOpenKeyExA', 'ShellExecuteA', 'ShellExecuteA'
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 400,684 bytes but its declared streams total only 16,486 bytes — 384,198 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.