Office (OLE) / .WRI malware analysis — malicious · 96cf41f7df10d65e

MALICIOUS

Office (OLE) / .WRI

258.5 KB Created: 2008-10-09 03:10:00 Authoring application: Microsoft Word 9.0

MD5: d86a5ab093ca13e53d8d374f8ba854ae SHA-1: 8de94b69bd0283b0dcfd82504b8baf5008651e2d SHA-256: 96cf41f7df10d65e88968241a14177abc23cebba44c87a2b40b0c57989d55eb7

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample exhibits multiple high-severity heuristic firings including NOP sleds, PEB access, and XOR-encoded strings, indicating a likely exploit attempt. The large slack space in the OLE structure is also anomalous. While the document body discusses a licensing agreement, the technical indicators strongly suggest it's a lure for a malicious payload. The XOR encoding with key 0x97 at offset 0x24CA4 is a primary indicator of obfuscated malicious code.

Heuristics 5

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'msvcrt.dll', 'msvcrt.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 264,704 bytes but its declared streams total only 79,383 bytes — 185,321 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.