Office (OLE) / .WRI malware analysis — malicious · dd094a8fdb60e9e2

MALICIOUS

Office (OLE) / .WRI

258.5 KB Created: 2008-10-09 03:10:00 Authoring application: Microsoft Word 9.0

MD5: e0a4afb90404049c4e0e0d24ba53c9ea SHA-1: 955ea6c827bc4e89b36bcf6b2071fe8d6c67a107 SHA-256: dd094a8fdb60e9e2560f57e3b3310daaa37b2ba6523082c93e65958d8b787dbc

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample exhibits multiple high-severity heuristic firings, including NOP sleds, PEB access, and XOR-encoded strings, indicating a packed or obfuscated executable payload. The OLE slack anomaly suggests potential data hiding or padding. While no specific exploit is identified, the combination of obfuscation and sleds points to an attempt to execute arbitrary code, likely for downloading further malware. The document body content is benign, suggesting it serves as a lure.

Heuristics 5

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'ShellExecuteA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 264,704 bytes but its declared streams total only 79,383 bytes — 185,321 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.