MALICIOUS
140
Risk Score
Heuristics 3
-
XOR-encoded strings (key 0x95) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'kernel32.dll', 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect'Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 79% of instructions — a sled or padding/filler run, not program logic).
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
x86 disassembly · validity: uncertain (0.568) — 5/7 branch targets land on an instruction boundary (71% coherence)00001900 90 nop 00001901 90 nop 00001902 90 nop 00001903 90 nop 00001904 90 nop 00001905 90 nop 00001906 90 nop 00001907 90 nop 00001908 90 nop 00001909 90 nop 0000190A 90 nop 0000190B 90 nop 0000190C 90 nop 0000190D 90 nop 0000190E 90 nop 0000190F 90 nop 00001910 90 nop 00001911 90 nop 00001912 90 nop 00001913 90 nop 00001914 90 nop 00001915 90 nop 00001916 90 nop 00001917 90 nop 00001918 90 nop 00001919 90 nop 0000191A 90 nop 0000191B 90 nop 0000191C 90 nop 0000191D 90 nop 0000191E 90 nop 0000191F 90 nop 00001920 57 push edi 00001921 5b pop ebx 00001922 81ebf0150000 sub ebx, 0x15f0 00001928 8bd3 mov edx, ebx 0000192A 4a dec edx 0000192B 33c9 xor ecx, ecx 0000192D b9a7030000 mov ecx, 0x3a7 00001932 80340ab0 xor byte ptr [edx + ecx], 0xb0 00001936 e2fa loop 0x1932 00001938 315cb0b1 xor dword ptr [eax + esi*4 - 0x4f], ebx 0000193C b0b0 mov al, 0xb0 0000193E 3b5c3375 cmp ebx, dword ptr [ebx + esi + 0x75] 00001942 b43b mov ah, 0x3b 00001944 3f aas 00001945 78b2 js 0x18f9 00001947 b0b0 mov al, 0xb0 00001949 39fd cmp ebp, edi 0000194B e83b3f08b2 call 0xb208588b 00001950 b0b0 mov al, 0xb0 00001952 39fd cmp ebp, edi 00001954 e431 in al, 0x31 00001956 7768 ja 0x19c0 00001958 b1b0 mov cl, 0xb0 0000195A b03b mov al, 0x3b 0000195C 7f39 jg 0x1997 0000195E 3d .byte 0x3d 0000195F 30 .byte 0x30
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 541,696 bytes but its declared streams total only 16,486 bytes — 525,210 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.